From be243b52d790928f9e29e303fb132f3c26328e01 Mon Sep 17 00:00:00 2001 From: Krzysztof Ostrowski Date: Fri, 19 Jun 2026 10:59:00 +0200 Subject: [PATCH 1/3] go.*: bump client-go --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 3dd033fb67..ab8e492020 100644 --- a/go.mod +++ b/go.mod @@ -18,9 +18,9 @@ require ( github.com/onsi/gomega v1.38.2 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/selinux v1.13.0 - github.com/openshift/api v0.0.0-20260521125114-09730f85d883 + github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee - github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a + github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167 github.com/pkg/errors v0.9.1 github.com/pkg/profile v1.7.0 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0 diff --git a/go.sum b/go.sum index 25dac0333f..74bb5a4007 100644 --- a/go.sum +++ b/go.sum @@ -225,12 +225,12 @@ github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrB github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+LGaWfbL84= github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s= -github.com/openshift/api v0.0.0-20260521125114-09730f85d883 h1:So9yxVJRY+F1aVBjcDw6N3M4h30wyH/GpkazK8xT4TI= -github.com/openshift/api v0.0.0-20260521125114-09730f85d883/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= +github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc h1:EOhLyqTo5g0sM3MVrKO7Zh2CoVyqNt7Q7zGE15S79Fg= +github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+Sp5GGnjHDhT/a/nQ1xdp43UscBMr7G5wxsYotyhzJ4= github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= -github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a h1:EKx2XhOKehd1C5ptY7IrLl4WV35E8kP0pRPnG5BUZXk= -github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a/go.mod h1:V933kvY/cb/Un7UCEOhXHUySNX327u7Epe8g9KNqg2Q= +github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167 h1:TfqgEkvjjdzmVW3wkXWjh65rF+cjahnrBMbRdraT4Wo= +github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167/go.mod h1:SYV1Wn6Pd27K9olD4WbUtjn4RWU83b9UjG1rbaQsTRE= github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= From 445d478c4d0f13f658225b79d4e54da631eb50e7 Mon Sep 17 00:00:00 2001 From: Krzysztof Ostrowski Date: Fri, 19 Jun 2026 10:59:07 +0200 Subject: [PATCH 2/3] vendor: bump Signed-off-by: Krzysztof Ostrowski --- .../openshift/api/.ci-operator.yaml | 2 +- .../github.com/openshift/api/Dockerfile.ocp | 4 +- vendor/github.com/openshift/api/Makefile | 21 + .../api/config/v1/types_authentication.go | 385 +++++++++++++++++- .../api/config/v1/types_tlssecurityprofile.go | 122 +++++- .../api/config/v1/zz_generated.deepcopy.go | 178 ++++++++ ..._generated.featuregated-crd-manifests.yaml | 2 + .../v1/zz_generated.swagger_doc_generated.go | 116 +++++- .../v1alpha1/types_cluster_monitoring.go | 307 +++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 90 ++++ .../zz_generated.swagger_doc_generated.go | 61 ++- vendor/github.com/openshift/api/features.md | 13 +- .../openshift/api/features/features.go | 71 +++- .../api/features/legacyfeaturegates.go | 2 + .../api/operator/v1/types_authentication.go | 5 + .../openshift/api/operator/v1/types_etcd.go | 4 +- ..._ingress.go => types_ingresscontroller.go} | 0 .../api/operator/v1/types_kmsencryption.go | 80 ++++ .../api/operator/v1/types_kubeapiserver.go | 5 + .../operator/v1/types_openshiftapiserver.go | 5 + .../api/operator/v1/zz_generated.deepcopy.go | 45 +- ..._generated.featuregated-crd-manifests.yaml | 8 +- .../v1/zz_generated.swagger_doc_generated.go | 33 +- .../openshift/api/route/v1/generated.proto | 3 +- .../openshift/api/route/v1/types.go | 3 +- ..._generated.featuregated-crd-manifests.yaml | 3 +- .../config/v1/clientcredentialconfig.go | 98 +++++ .../config/v1/clientsecretsecretreference.go | 32 ++ .../config/v1/customtlsprofile.go | 10 + .../config/v1/externalclaimssource.go | 97 +++++ .../config/v1/externalsourceauthentication.go | 57 +++ ...ecertificateauthorityconfigmapreference.go | 34 ++ .../config/v1/externalsourcepredicate.go | 43 ++ .../config/v1/externalsourcetls.go | 30 ++ .../config/v1/networkobservabilityspec.go | 33 ++ .../config/v1/networkspec.go | 12 + .../config/v1/oidcprovider.go | 34 ++ .../config/v1/sourcedclaimmapping.go | 51 +++ .../config/v1/sourceurl.go | 67 +++ .../config/v1/tlsprofilespec.go | 28 ++ .../config/v1/tlssecurityprofile.go | 36 +- .../config/v1/vaultapproleauthentication.go | 2 +- .../config/v1/vaultkmspluginconfig.go | 12 +- .../config/v1/vaulttlsconfig.go | 2 +- .../v1alpha1/alertmanagercustomconfig.go | 25 +- .../config/v1alpha1/clustermonitoringspec.go | 13 + .../config/v1alpha1/kubestatemetricsconfig.go | 145 +++++++ .../kubestatemetricsresourcelabels.go | 53 +++ .../config/v1alpha1/nodeexporterconfig.go | 43 -- .../config/v1alpha1/prometheusconfig.go | 2 +- .../config/v1alpha1/retention.go | 44 +- .../config/v1alpha1/thanosquerierconfig.go | 50 +++ .../thanosquerierrequestloggingconfig.go | 34 ++ .../applyconfigurations/internal/internal.go | 233 ++++++++++- .../config/applyconfigurations/utils.go | 26 ++ .../applyconfigurations/internal/internal.go | 12 + .../operator/v1/etcdspec.go | 2 +- .../operator/v1/kmsencryptionstatus.go | 31 ++ .../operator/v1/kmspluginhealthreport.go | 91 +++++ .../operator/v1/kubeapiserverstatus.go | 10 + .../operator/v1/oauthapiserverstatus.go | 10 + .../operator/v1/openshiftapiserverstatus.go | 10 + .../operator/applyconfigurations/utils.go | 4 + vendor/modules.txt | 4 +- 64 files changed, 2922 insertions(+), 166 deletions(-) rename vendor/github.com/openshift/api/operator/v1/{types_ingress.go => types_ingresscontroller.go} (100%) create mode 100644 vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsconfig.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsresourcelabels.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go create mode 100644 vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmsencryptionstatus.go create mode 100644 vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmspluginhealthreport.go diff --git a/vendor/github.com/openshift/api/.ci-operator.yaml b/vendor/github.com/openshift/api/.ci-operator.yaml index a3628cf240..1d88a59fdf 100644 --- a/vendor/github.com/openshift/api/.ci-operator.yaml +++ b/vendor/github.com/openshift/api/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: release namespace: openshift - tag: rhel-9-release-golang-1.25-openshift-4.22 + tag: rhel-9-release-golang-1.26-openshift-5.0 diff --git a/vendor/github.com/openshift/api/Dockerfile.ocp b/vendor/github.com/openshift/api/Dockerfile.ocp index e04ec9fbc1..98870518c2 100644 --- a/vendor/github.com/openshift/api/Dockerfile.ocp +++ b/vendor/github.com/openshift/api/Dockerfile.ocp @@ -1,10 +1,10 @@ -FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder +FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder WORKDIR /go/src/github.com/openshift/api COPY . . ENV GO_PACKAGE github.com/openshift/api RUN make build --warn-undefined-variables -FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 +FROM registry.ci.openshift.org/ocp/5.0:base-rhel9 # copy the built binaries to /usr/bin COPY --from=builder /go/src/github.com/openshift/api/render /usr/bin/ diff --git a/vendor/github.com/openshift/api/Makefile b/vendor/github.com/openshift/api/Makefile index ac20137fad..8b85144eaf 100644 --- a/vendor/github.com/openshift/api/Makefile +++ b/vendor/github.com/openshift/api/Makefile @@ -179,6 +179,27 @@ generate-with-container: integration: make -C tests integration +# Run API review evals. Requires claude CLI. +# EVAL_RUNS=5 Number of runs per test case (default: 1) +# EVAL_THRESHOLD=0.8 Minimum pass rate (default: 0.8) +# EVAL_GOLDEN_MODEL=... Model for golden tests (default: sonnet) +# EVAL_INTEGRATION_MODEL=... Model for integration tests (default: opus) +# EVAL_JUDGE_MODEL=... Model for judging results (default: haiku) +# EVAL_GOLDEN_PROCS=4 Max parallel golden tests (default: 4) +# EVAL_INTEGRATION_PROCS=2 Max parallel integration tests (default: 2) +# EVAL_GINKGO_ARGS=... Extra ginkgo args +.PHONY: eval +eval: + $(MAKE) -C tests eval + +.PHONY: eval-golden +eval-golden: + $(MAKE) -C tests eval-golden + +.PHONY: eval-integration +eval-integration: + $(MAKE) -C tests eval-integration + tests-vendor: make -C tests vendor diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 1a036bbb67..348ee04010 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity;ExternalOIDCExternalClaimsSourcing,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" // Authentication specifies cluster-wide settings for authentication (like OAuth and // webhook token authenticators). The canonical name of an instance is `cluster`. @@ -91,6 +91,7 @@ type AuthenticationSpec struct { // +openshift:enable:FeatureGate=ExternalOIDC // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + // +openshift:enable:FeatureGate=ExternalOIDCExternalClaimsSourcing // +optional OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"` } @@ -245,6 +246,36 @@ type OIDCProvider struct { // +optional // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` + + // externalClaimsSources is an optional field that can be used to configure + // sources, external to the token provided in a request, in which claims + // should be fetched from and made available to the claim mapping process + // that is used to build the identity of a token holder. + // + // For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + // + // When not specified, only claims present in the token itself will be available + // in the claim mapping process. + // + // When specified, at least one external claim source must be specified and no more than 5 + // sources may be specified. + // All external claim sources must have unique claim mappings. + // When an external source responds and resolves additional claims successfully, they will + // be made available as claims during the claim mapping process. + // Externally sourced claims with the same name as a claim existing within the token will + // overwrite the claim data from the token with the externally sourced information. + // If an external source does not respond, responds with an error, or the additional + // claim data cannot be resolved from the response successfully it will not be + // included in the claim data passed to the claim mapping process. + // + // +openshift:enable:FeatureGate=ExternalOIDCExternalClaimsSourcing + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=5 + // +kubebuilder:validation:XValidation:rule="self.all(s, s.mappings.all(m, self.filter(s2, s2.mappings.exists(m2, m2.name == m.name)).size() == 1))",message="mapping names must be unique across all external claim sources." + // +listType=atomic + ExternalClaimsSources []ExternalClaimsSource `json:"externalClaimsSources,omitempty"` } // +kubebuilder:validation:MinLength=1 @@ -831,3 +862,355 @@ type TokenUserValidationRule struct { // +kubebuilder:validation:MaxLength=256 Message string `json:"message,omitempty"` } + +// ExternalClaimsSource provides the configuration for a single external claim source. +type ExternalClaimsSource struct { + // authentication is an optional field that configures how the apiserver authenticates with an external claims source. + // When not specified, anonymous authentication is used which means no 'Authorization' header + // is sent in the HTTP request to fetch the external claims. + // + // +optional + Authentication ExternalSourceAuthentication `json:"authentication,omitzero"` + + // tls is an optional field that configures the http client TLS + // settings when fetching external claims from this source. + // + // When omitted, system default TLS settings will be used + // for fetching claims from the external source. + // + // +optional + TLS ExternalSourceTLS `json:"tls,omitzero"` + + // url is a required configuration of the URL + // for which the external claims are located. + // + // +required + URL SourceURL `json:"url,omitzero"` + + // mappings is a required list of the claim + // and response handling expression pairs + // that produces the claims from the external source. + // mappings must have at least 1 entry and must not exceed 16 entries. + // Entries must have a unique name across all external claim sources. + // + // +required + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + Mappings []SourcedClaimMapping `json:"mappings,omitempty"` + + // predicates is an optional list of constraints in + // which claims should attempt to be fetched from this + // external source. + // + // When omitted, claims are always fetched + // from this external source. + // + // When specified, all predicates must evaluate to 'true' + // before claims are attempted to be fetched from this external source. + // predicates must have at least 1 entry and must not exceed 16 entries. + // Entries must have unique expressions. + // + // +optional + // +listType=map + // +listMapKey=expression + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + Predicates []ExternalSourcePredicate `json:"predicates,omitempty"` +} + +// ExternalSourceAuthenticationType is the type of authentication that should be used +// when fetching claims from an external source. +// +// +enum +// +kubebuilder:validation:Enum=RequestProvidedToken;ClientCredential +type ExternalSourceAuthenticationType string + +const ( + // ExternalSourceAuthenticationTypeRequestProvidedToken is an ExternalSourceAuthenticationType + // that represents that the token being evaluated for authentication + // should be used for authenticating with the external claims source. + // This is useful for scenarios where a token has multiple audiences + // and scopes so that it can be used to access both the cluster and + // the UserInfo endpoint that contains additional information about the + // user not present in the token. + ExternalSourceAuthenticationTypeRequestProvidedToken ExternalSourceAuthenticationType = "RequestProvidedToken" + + // ExternalSourceAuthenticationTypeClientCredential is an ExternalSourceAuthenticationType + // that represents that the authenticator should use the OAuth2 + // client credentials grant flow to obtain an access token for + // authenticating with the external claims source. + // This is useful for scenarios such as fetching user information + // from Microsoft's Graph API where a separate client credential + // is needed to access the API. + ExternalSourceAuthenticationTypeClientCredential ExternalSourceAuthenticationType = "ClientCredential" +) + +// ExternalSourceAuthentication configures how the apiserver should attempt +// to authenticate with an external claims source. +// +// +kubebuilder:validation:XValidation:rule="self.type == 'ClientCredential' ? has(self.clientCredential) : !has(self.clientCredential)",message="clientCredential is required when type is ClientCredential, and forbidden otherwise" +type ExternalSourceAuthentication struct { + // type is a required field that sets the type of + // authentication method used by the authenticator + // when fetching external claims. + // + // Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + // + // When set to 'RequestProvidedToken', the authenticator will + // use the token provided to the kube-apiserver as part of the + // request to authenticate with the external claims source. + // + // When set to 'ClientCredential', the authenticator will + // use the configured client-id, client-secret, and token endpoint + // to fetch an access token using the OAuth2 client credentials grant + // flow. The fetched access token will then be used to authenticate + // with the external claims source. + // + // +required + Type ExternalSourceAuthenticationType `json:"type,omitempty"` + + // clientCredential configures the client credentials + // and token endpoint to use to get an access token. + // clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + // + // +optional + ClientCredential ClientCredentialConfig `json:"clientCredential,omitzero"` +} + +// ExternalSourceTLS configures the TLS options that the apiserver uses as a client +// when making a request to the external claim source. +type ExternalSourceTLS struct { + // certificateAuthority is a required reference to a ConfigMap in the openshift-config + // namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + // The key "ca-bundle.crt" must be present in the referenced ConfigMap and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + // + // +required + CertificateAuthority ExternalSourceCertificateAuthorityConfigMapReference `json:"certificateAuthority,omitzero"` +} + +// ClientCredentialConfig configures the client credentials and token endpoint +// to use to get an access token via the OAuth2 client credentials grant flow. +type ClientCredentialConfig struct { + // clientID is a required client identifier to use during the OAuth2 client credentials flow. + // clientID must be at least 1 character in length, must not exceed 256 characters in length, + // and must only contain printable ASCII characters. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:XValidation:rule="self.matches('^[[:print:]]+$')",message="clientID must only contain printable ASCII characters" + ClientID string `json:"clientID,omitempty"` + + // clientSecret is a required reference to a Secret in the openshift-config namespace to be used + // as the client secret during the OAuth2 client credentials flow. + // + // The key 'client-secret' is used to locate the client secret data in the Secret. + // + // +required + ClientSecret ClientSecretSecretReference `json:"clientSecret,omitzero"` + + // tokenEndpoint is a required URL to query for an access token using + // the client credential OAuth2 flow. + // tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + // tokenEndpoint must be a valid HTTPS URL. + // tokenEndpoint must have a host and a path. + // tokenEndpoint must not contain query parameters, fragments, + // or user information (e.g., "user:password@host"). + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=2048 + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="tokenEndpoint must be a valid HTTPS url" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getScheme() == 'https'",message="tokenEndpoint must be a valid HTTPS url" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getHost() != ''",message="tokenEndpoint must have a hostname" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getEscapedPath() != ''",message="tokenEndpoint must have a path" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getQuery() == {}",message="tokenEndpoint must not have query parameters" + // +kubebuilder:validation:XValidation:rule="isURL(self) && self.find('#(.+)$') == ''",message="tokenEndpoint must not have a fragment" + // +kubebuilder:validation:XValidation:rule="isURL(self) && !self.matches('^https://[^/]+@.+$')",message="tokenEndpoint must not have user info" + TokenEndpoint string `json:"tokenEndpoint,omitempty"` + + // scopes is an optional list of OAuth2 scopes to request when obtaining + // an access token. + // + // If not specified, the token endpoint's default scopes + // will be used. + // + // When specified, there must be at least 1 entry and must not exceed 16 entries. + // Each entry must be at least 1 character in length and must not exceed 256 characters in length. + // Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + // Entries must be unique. + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + // +listType=set + Scopes []OAuth2Scope `json:"scopes,omitempty"` + + // tls is an optional field that allows configuring the TLS + // settings used to interact with the identity provider + // as an OAuth2 client. + // + // When omitted, system default TLS settings will be used + // for the OAuth2 client. + // + // +optional + TLS ExternalSourceTLS `json:"tls,omitzero"` +} + +// OAuth2Scope is a string alias that represents an OAuth2 Scope as defined by https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4 +// Must be at least 1 character in length, must not exceed 256 characters in length and must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. +// +// +kubebuilder:validation:XValidation:rule="self.matches('^[!#-[\\\\]-~]+$')",message="scopes must only contain printable ASCII characters excluding spaces, double quotes and backslashes" +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=256 +type OAuth2Scope string + +// SourceURL configures the options used to build the URL that is queried for external claims. +type SourceURL struct { + // hostname is a required hostname for which the external claims are located. + // + // It must be a valid DNS subdomain name as per RFC1123. + // + // This means that it must start and end with a lowercase alphanumeric character, + // must only consist of lowercase alphanumeric characters, '-', and '.'. + // hostname may optionally specify a port in the format ':{port}'. + // If a port is specified it must not exceed 65535. + // + // hostname must be at least 1 character in length. + // When specifying a port, hostname must not exceed 259 characters in length. + // When not specifying a port, hostname must not exceed 253 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=259 + // +kubebuilder:validation:XValidation:rule="isURL('https://'+self)",message="hostname must be a valid hostname" + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self.split(':')[0]).hasValue()",message="hostname before port must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + // +kubebuilder:validation:XValidation:rule="self.split(':').size() > 1 ? int(self.split(':')[1]) <= 65535 : true",message="port must not exceed 65535" + Hostname string `json:"hostname,omitempty"` + + // pathExpression is a required CEL expression that returns a list + // of string values used to construct the URL path. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must be at least 1 character in length and must not exceed 1024 characters in length. + // + // Values in the returned list will be joined with the hostname using a forward slash + // (`/`) as a separator. Values in the returned list do not need to include the forward slash. + // If a forward slash is included in a returned value, it will be encoded as `%2F`. + // + // Example of a static path configuration: + // + // pathExpression: ['realms', 'k8s', 'protocol', 'openid-connect', 'userinfo'] + // + // The above example would resolve to the path: '/realms/k8s/protocol/openid-connect/userinfo' + // + // Example of a dynamic path configuration: + // + // pathExpression: "['admin', 'realms', 'k8s', 'users'] + [claims.sub] + ['groups']" + // + // Assuming 'claims.sub' is set to '12345', the above example would resolve to the path: '/admin/realms/k8s/users/12345/groups' + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + PathExpression string `json:"pathExpression,omitempty"` +} + +// SourcedClaimMapping configures the mapping behavior for a single external claim +// from the response the apiserver received from the external claim source. +type SourcedClaimMapping struct { + // name is a required name of the claim that + // will be produced and made available during + // the claim-to-identity mapping process. + // name must consist of only lowercase alpha characters and underscores ('_'). + // name must be at least 1 character and must not exceed 256 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z_]+$')",message="name must consist of only lowercase alpha characters and underscores" + Name string `json:"name,omitempty"` + + // expression is a required CEL expression that + // will produce a value to be assigned to the claim. + // The full response body from the request to the + // external claim source is provided via the + // `response.body` variable. + // + // The contents of the `response.body` variable varies based on the response received + // from the external source. It is the responsibility of those configuring + // this expression to understand what is returned from the external source. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + Expression string `json:"expression,omitempty"` +} + +// ExternalSourcePredicate configures a singular condition +// that must return true before the external source is queried +// to retrieve external claims. +type ExternalSourcePredicate struct { + // expression is a required CEL expression that + // is used to determine whether or not an external + // source should be used to fetch external claims. + // + // The expression must return a boolean value, + // where true means that the source should be consulted + // and false means that it should not. + // + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // + // The contents of the `claims` variable varies based on the claims that are + // present in the token being validated. It is the responsibility of those configuring this + // field to understand what claims the identity provider includes when issuing tokens. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + Expression string `json:"expression,omitempty"` +} + +// ExternalSourceCertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config +// namespace that should be used for configuring the certificate authority to be +// used when sourcing claims from external sources. +type ExternalSourceCertificateAuthorityConfigMapReference struct { + // name is the required name of the ConfigMap that exists in the openshift-config namespace. + // The key "ca-bundle.crt" must be present and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="name must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + Name string `json:"name,omitempty"` +} + +// ClientSecretSecretReference is a reference to a Secret in the openshift-config +// namespace that should be used for configuring the client secret to be +// used when sourcing claims from external sources with the client credential authentication flow. +type ClientSecretSecretReference struct { + // name is the required name of the Secret that exists in the openshift-config namespace. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="name must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + Name string `json:"name,omitempty"` +} diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go index 48657b0894..2e9be97aeb 100644 --- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go +++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go @@ -7,10 +7,16 @@ type TLSSecurityProfile struct { // type is one of Old, Intermediate, Modern or Custom. Custom provides the // ability to specify individual TLS security profile parameters. // - // The profiles are based on version 5.7 of the Mozilla Server Side TLS - // configuration guidelines. The cipher lists consist of the configuration's - // "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - // See: https://ssl-config.mozilla.org/guidelines/5.7.json + // The cipher and groups lists in these profiles are based on version 5.8 of the + // Mozilla Server Side TLS configuration guidelines. + // See: https://ssl-config.mozilla.org/guidelines/5.8.json + // + // The groups are listed in suggested preference order, with the most preferred group first. + // Note that not all platform components honor the ordering: Go-based components use Go's + // internal preference order and treat this list as a filter of allowed groups rather than + // an ordered preference. + // Note that X25519MLKEM768 is a post-quantum hybrid group that is not + // FIPS-approved and should be ignored by components running in FIPS mode. // // The profiles are intent based, so they may change over time as new ciphers are // developed and existing ciphers are found to be insecure. Depending on @@ -23,6 +29,10 @@ type TLSSecurityProfile struct { // old is a TLS profile for use when services need to be accessed by very old // clients or libraries and should be used only as a last resort. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS10 // ciphers: @@ -39,11 +49,14 @@ type TLSSecurityProfile struct { // - ECDHE-RSA-AES128-SHA256 // - ECDHE-ECDSA-AES128-SHA // - ECDHE-RSA-AES128-SHA + // - ECDHE-ECDSA-AES256-SHA384 + // - ECDHE-RSA-AES256-SHA384 // - ECDHE-ECDSA-AES256-SHA // - ECDHE-RSA-AES256-SHA // - AES128-GCM-SHA256 // - AES256-GCM-SHA384 // - AES128-SHA256 + // - AES256-SHA256 // - AES128-SHA // - AES256-SHA // - DES-CBC3-SHA @@ -56,6 +69,10 @@ type TLSSecurityProfile struct { // legacy clients and want to remain highly secure while being compatible with // most clients currently in use. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS12 // ciphers: @@ -75,7 +92,9 @@ type TLSSecurityProfile struct { // modern is a TLS security profile for use with clients that support TLS 1.3 and // do not need backward compatibility for older clients. - // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS13 // ciphers: @@ -88,8 +107,11 @@ type TLSSecurityProfile struct { Modern *ModernTLSProfile `json:"modern,omitempty"` // custom is a user-defined TLS security profile. Be extremely careful using a custom - // profile as invalid configurations can be catastrophic. An example custom profile - // looks like this: + // profile as invalid configurations can be catastrophic. + // + // The supported groups list for this profile is empty by default. + // + // An example custom profile looks like this: // // minTLSVersion: VersionTLS11 // ciphers: @@ -142,6 +164,33 @@ const ( TLSProfileCustomType TLSProfileType = "Custom" ) +// TLSGroup is a supported group identifier that can be used in TLSProfile.Groups. +// There is a one-to-one mapping between these names and the group IDs defined +// in Go's crypto/tls package based on IANA's "TLS Supported Groups" registry: +// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 +// Note that X25519MLKEM768 is a post-quantum hybrid group that is not +// FIPS-approved and should be ignored by components running in FIPS mode. +// +// +kubebuilder:validation:Enum=X25519;secp256r1;secp384r1;secp521r1;X25519MLKEM768;SecP256r1MLKEM768;SecP384r1MLKEM1024 +type TLSGroup string + +const ( + // TLSGroupX25519 represents X25519. + TLSGroupX25519 TLSGroup = "X25519" + // TLSGroupSecP256r1 represents P-256 (secp256r1). + TLSGroupSecP256r1 TLSGroup = "secp256r1" + // TLSGroupSecP384r1 represents P-384 (secp384r1). + TLSGroupSecP384r1 TLSGroup = "secp384r1" + // TLSGroupSecP521r1 represents P-521 (secp521r1). + TLSGroupSecP521r1 TLSGroup = "secp521r1" + // TLSGroupX25519MLKEM768 represents X25519MLKEM768. + TLSGroupX25519MLKEM768 TLSGroup = "X25519MLKEM768" + // TLSGroupSecP256r1MLKEM768 represents SecP256r1MLKEM768. + TLSGroupSecP256r1MLKEM768 TLSGroup = "SecP256r1MLKEM768" + // TLSGroupSecP384r1MLKEM1024 represents SecP384r1MLKEM1024. + TLSGroupSecP384r1MLKEM1024 TLSGroup = "SecP384r1MLKEM1024" +) + // TLSProfileSpec is the desired behavior of a TLSSecurityProfile. type TLSProfileSpec struct { // ciphers is used to specify the cipher algorithms that are negotiated @@ -155,6 +204,30 @@ type TLSProfileSpec struct { // and are always enabled when TLS 1.3 is negotiated. // +listType=atomic Ciphers []string `json:"ciphers"` + // groups is an optional, ordered field used to specify the supported groups (formerly known as + // elliptic curves) that are used during the TLS handshake. The order of the groups represents + // a suggested preference, with the most preferred group first. Note that not all platform + // components honor the ordering: Go-based components use Go's internal preference order and + // treat this list as a filter of allowed groups rather than an ordered preference. + // Operators may remove entries their operands do not support. + // + // When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + // subject to change over time and may be different per platform component depending on the underlying TLS + // libraries they use. If specified, the list must contain at least one and at most 7 groups, + // and each group must be unique. + // + // For example, to use X25519 and secp256r1 (yaml): + // + // groups: + // - X25519 + // - secp256r1 + // + // +optional + // +listType=set + // +kubebuilder:validation:MaxItems=7 + // +kubebuilder:validation:MinItems=1 + // +openshift:enable:FeatureGate=TLSGroupPreferences + Groups []TLSGroup `json:"groups,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS // versions 1.1, 1.2 and 1.3 (yaml): @@ -187,16 +260,22 @@ const ( // TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec. // -// These profiles are based on version 5.7 of the Mozilla Server Side TLS -// configuration guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json +// The cipher and groups lists in these profiles are based on version 5.8 of the +// Mozilla Server Side TLS configuration guidelines. +// See: https://ssl-config.mozilla.org/guidelines/5.8.json // // Each Ciphers slice is the configuration's "ciphersuites" followed by the -// Go-specific "ciphers" from the guidelines JSON. +// "ciphers" from the guidelines JSON. +// +// Groups are listed in suggested preference order, though Go-based components may use +// their own internal ordering. TLSProfiles Old, Intermediate, Modern include by default +// the following groups: X25519MLKEM768, X25519, secp256r1, secp384r1 // // NOTE: The caller needs to make sure to check that these constants are valid // for their binary. Not all entries map to values for all binaries. In the case // of ties, the kube-apiserver wins. Do not fail, just be sure to include only -// valid entries and everything will be ok. +// valid entries and everything will be ok. In particular, X25519MLKEM768 is +// not FIPS-approved and must be omitted by components running in FIPS mode. var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ TLSProfileOldType: { Ciphers: []string{ @@ -213,15 +292,24 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", + "ECDHE-ECDSA-AES256-SHA384", + "ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "AES128-SHA256", + "AES256-SHA256", "AES128-SHA", "AES256-SHA", "DES-CBC3-SHA", }, + Groups: []TLSGroup{ + TLSGroupX25519MLKEM768, + TLSGroupX25519, + TLSGroupSecP256r1, + TLSGroupSecP384r1, + }, MinTLSVersion: VersionTLS10, }, TLSProfileIntermediateType: { @@ -236,6 +324,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", }, + Groups: []TLSGroup{ + TLSGroupX25519MLKEM768, + TLSGroupX25519, + TLSGroupSecP256r1, + TLSGroupSecP384r1, + }, MinTLSVersion: VersionTLS12, }, TLSProfileModernType: { @@ -244,6 +338,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", }, + Groups: []TLSGroup{ + TLSGroupX25519MLKEM768, + TLSGroupX25519, + TLSGroupSecP256r1, + TLSGroupSecP384r1, + }, MinTLSVersion: VersionTLS13, }, } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 1a562b8582..13f1bc390d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -936,6 +936,45 @@ func (in *ClientConnectionOverrides) DeepCopy() *ClientConnectionOverrides { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientCredentialConfig) DeepCopyInto(out *ClientCredentialConfig) { + *out = *in + out.ClientSecret = in.ClientSecret + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]OAuth2Scope, len(*in)) + copy(*out, *in) + } + out.TLS = in.TLS + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientCredentialConfig. +func (in *ClientCredentialConfig) DeepCopy() *ClientCredentialConfig { + if in == nil { + return nil + } + out := new(ClientCredentialConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientSecretSecretReference) DeepCopyInto(out *ClientSecretSecretReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientSecretSecretReference. +func (in *ClientSecretSecretReference) DeepCopy() *ClientSecretSecretReference { + if in == nil { + return nil + } + out := new(ClientSecretSecretReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CloudControllerManagerStatus) DeepCopyInto(out *CloudControllerManagerStatus) { *out = *in @@ -2083,6 +2122,35 @@ func (in *EtcdStorageConfig) DeepCopy() *EtcdStorageConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalClaimsSource) DeepCopyInto(out *ExternalClaimsSource) { + *out = *in + in.Authentication.DeepCopyInto(&out.Authentication) + out.TLS = in.TLS + out.URL = in.URL + if in.Mappings != nil { + in, out := &in.Mappings, &out.Mappings + *out = make([]SourcedClaimMapping, len(*in)) + copy(*out, *in) + } + if in.Predicates != nil { + in, out := &in.Predicates, &out.Predicates + *out = make([]ExternalSourcePredicate, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalClaimsSource. +func (in *ExternalClaimsSource) DeepCopy() *ExternalClaimsSource { + if in == nil { + return nil + } + out := new(ExternalClaimsSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalIPConfig) DeepCopyInto(out *ExternalIPConfig) { *out = *in @@ -2168,6 +2236,72 @@ func (in *ExternalPlatformStatus) DeepCopy() *ExternalPlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceAuthentication) DeepCopyInto(out *ExternalSourceAuthentication) { + *out = *in + in.ClientCredential.DeepCopyInto(&out.ClientCredential) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceAuthentication. +func (in *ExternalSourceAuthentication) DeepCopy() *ExternalSourceAuthentication { + if in == nil { + return nil + } + out := new(ExternalSourceAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceCertificateAuthorityConfigMapReference) DeepCopyInto(out *ExternalSourceCertificateAuthorityConfigMapReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceCertificateAuthorityConfigMapReference. +func (in *ExternalSourceCertificateAuthorityConfigMapReference) DeepCopy() *ExternalSourceCertificateAuthorityConfigMapReference { + if in == nil { + return nil + } + out := new(ExternalSourceCertificateAuthorityConfigMapReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourcePredicate) DeepCopyInto(out *ExternalSourcePredicate) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourcePredicate. +func (in *ExternalSourcePredicate) DeepCopy() *ExternalSourcePredicate { + if in == nil { + return nil + } + out := new(ExternalSourcePredicate) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceTLS) DeepCopyInto(out *ExternalSourceTLS) { + *out = *in + out.CertificateAuthority = in.CertificateAuthority + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceTLS. +func (in *ExternalSourceTLS) DeepCopy() *ExternalSourceTLS { + if in == nil { + return nil + } + out := new(ExternalSourceTLS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) { *out = *in @@ -4841,6 +4975,13 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { *out = make([]TokenUserValidationRule, len(*in)) copy(*out, *in) } + if in.ExternalClaimsSources != nil { + in, out := &in.ExternalClaimsSources, &out.ExternalClaimsSources + *out = make([]ExternalClaimsSource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -6181,6 +6322,38 @@ func (in *SignatureStore) DeepCopy() *SignatureStore { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourceURL) DeepCopyInto(out *SourceURL) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceURL. +func (in *SourceURL) DeepCopy() *SourceURL { + if in == nil { + return nil + } + out := new(SourceURL) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourcedClaimMapping) DeepCopyInto(out *SourcedClaimMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourcedClaimMapping. +func (in *SourcedClaimMapping) DeepCopy() *SourcedClaimMapping { + if in == nil { + return nil + } + out := new(SourcedClaimMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Storage) DeepCopyInto(out *Storage) { *out = *in @@ -6239,6 +6412,11 @@ func (in *TLSProfileSpec) DeepCopyInto(out *TLSProfileSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = make([]TLSGroup, len(*in)) + copy(*out, *in) + } return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index 9415f6bbd7..13635bff49 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -8,6 +8,7 @@ apiservers.config.openshift.io: FeatureGates: - KMSEncryption - TLSAdherence + - TLSGroupPreferences FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -31,6 +32,7 @@ authentications.config.openshift.io: Category: "" FeatureGates: - ExternalOIDC + - ExternalOIDCExternalClaimsSourcing - ExternalOIDCWithUIDAndExtraClaimMappings - ExternalOIDCWithUpstreamParity FilenameOperatorName: config-operator diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index b4afc2b962..1e9c65bf86 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -388,6 +388,28 @@ func (AuthenticationStatus) SwaggerDoc() map[string]string { return map_AuthenticationStatus } +var map_ClientCredentialConfig = map[string]string{ + "": "ClientCredentialConfig configures the client credentials and token endpoint to use to get an access token via the OAuth2 client credentials grant flow.", + "clientID": "clientID is a required client identifier to use during the OAuth2 client credentials flow. clientID must be at least 1 character in length, must not exceed 256 characters in length, and must only contain printable ASCII characters.", + "clientSecret": "clientSecret is a required reference to a Secret in the openshift-config namespace to be used as the client secret during the OAuth2 client credentials flow.\n\nThe key 'client-secret' is used to locate the client secret data in the Secret.", + "tokenEndpoint": "tokenEndpoint is a required URL to query for an access token using the client credential OAuth2 flow. tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. tokenEndpoint must be a valid HTTPS URL. tokenEndpoint must have a host and a path. tokenEndpoint must not contain query parameters, fragments, or user information (e.g., \"user:password@host\").", + "scopes": "scopes is an optional list of OAuth2 scopes to request when obtaining an access token.\n\nIf not specified, the token endpoint's default scopes will be used.\n\nWhen specified, there must be at least 1 entry and must not exceed 16 entries. Each entry must be at least 1 character in length and must not exceed 256 characters in length. Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. Entries must be unique.", + "tls": "tls is an optional field that allows configuring the TLS settings used to interact with the identity provider as an OAuth2 client.\n\nWhen omitted, system default TLS settings will be used for the OAuth2 client.", +} + +func (ClientCredentialConfig) SwaggerDoc() map[string]string { + return map_ClientCredentialConfig +} + +var map_ClientSecretSecretReference = map[string]string{ + "": "ClientSecretSecretReference is a reference to a Secret in the openshift-config namespace that should be used for configuring the client secret to be used when sourcing claims from external sources with the client credential authentication flow.", + "name": "name is the required name of the Secret that exists in the openshift-config namespace.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", +} + +func (ClientSecretSecretReference) SwaggerDoc() map[string]string { + return map_ClientSecretSecretReference +} + var map_DeprecatedWebhookTokenAuthenticator = map[string]string{ "": "deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field.", "kubeConfig": "kubeConfig contains kube config file data which describes how to access the remote webhook service. For further details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication The key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored. The namespace for this secret is determined by the point of use.", @@ -397,6 +419,56 @@ func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string { return map_DeprecatedWebhookTokenAuthenticator } +var map_ExternalClaimsSource = map[string]string{ + "": "ExternalClaimsSource provides the configuration for a single external claim source.", + "authentication": "authentication is an optional field that configures how the apiserver authenticates with an external claims source. When not specified, anonymous authentication is used which means no 'Authorization' header is sent in the HTTP request to fetch the external claims.", + "tls": "tls is an optional field that configures the http client TLS settings when fetching external claims from this source.\n\nWhen omitted, system default TLS settings will be used for fetching claims from the external source.", + "url": "url is a required configuration of the URL for which the external claims are located.", + "mappings": "mappings is a required list of the claim and response handling expression pairs that produces the claims from the external source. mappings must have at least 1 entry and must not exceed 16 entries. Entries must have a unique name across all external claim sources.", + "predicates": "predicates is an optional list of constraints in which claims should attempt to be fetched from this external source.\n\nWhen omitted, claims are always fetched from this external source.\n\nWhen specified, all predicates must evaluate to 'true' before claims are attempted to be fetched from this external source. predicates must have at least 1 entry and must not exceed 16 entries. Entries must have unique expressions.", +} + +func (ExternalClaimsSource) SwaggerDoc() map[string]string { + return map_ExternalClaimsSource +} + +var map_ExternalSourceAuthentication = map[string]string{ + "": "ExternalSourceAuthentication configures how the apiserver should attempt to authenticate with an external claims source.", + "type": "type is a required field that sets the type of authentication method used by the authenticator when fetching external claims.\n\nAllowed values are 'RequestProvidedToken' and 'ClientCredential'.\n\nWhen set to 'RequestProvidedToken', the authenticator will use the token provided to the kube-apiserver as part of the request to authenticate with the external claims source.\n\nWhen set to 'ClientCredential', the authenticator will use the configured client-id, client-secret, and token endpoint to fetch an access token using the OAuth2 client credentials grant flow. The fetched access token will then be used to authenticate with the external claims source.", + "clientCredential": "clientCredential configures the client credentials and token endpoint to use to get an access token. clientCredential is required when type is 'ClientCredential', and forbidden otherwise.", +} + +func (ExternalSourceAuthentication) SwaggerDoc() map[string]string { + return map_ExternalSourceAuthentication +} + +var map_ExternalSourceCertificateAuthorityConfigMapReference = map[string]string{ + "": "ExternalSourceCertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config namespace that should be used for configuring the certificate authority to be used when sourcing claims from external sources.", + "name": "name is the required name of the ConfigMap that exists in the openshift-config namespace. The key \"ca-bundle.crt\" must be present and must contain the CA certificate to be used to verify the external source's TLS certificate.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", +} + +func (ExternalSourceCertificateAuthorityConfigMapReference) SwaggerDoc() map[string]string { + return map_ExternalSourceCertificateAuthorityConfigMapReference +} + +var map_ExternalSourcePredicate = map[string]string{ + "": "ExternalSourcePredicate configures a singular condition that must return true before the external source is queried to retrieve external claims.", + "expression": "expression is a required CEL expression that is used to determine whether or not an external source should be used to fetch external claims.\n\nThe expression must return a boolean value, where true means that the source should be consulted and false means that it should not.\n\nClaims from the token used for the request to the kube-apiserver are made available via the `claims` variable.\n\nThe contents of the `claims` variable varies based on the claims that are present in the token being validated. It is the responsibility of those configuring this field to understand what claims the identity provider includes when issuing tokens.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", +} + +func (ExternalSourcePredicate) SwaggerDoc() map[string]string { + return map_ExternalSourcePredicate +} + +var map_ExternalSourceTLS = map[string]string{ + "": "ExternalSourceTLS configures the TLS options that the apiserver uses as a client when making a request to the external claim source.", + "certificateAuthority": "certificateAuthority is a required reference to a ConfigMap in the openshift-config namespace that contains the CA certificate to use to validate TLS connections with the external claims source. The key \"ca-bundle.crt\" must be present in the referenced ConfigMap and must contain the CA certificate to be used to verify the external source's TLS certificate.", +} + +func (ExternalSourceTLS) SwaggerDoc() map[string]string { + return map_ExternalSourceTLS +} + var map_ExtraMapping = map[string]string{ "": "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.", "key": "key is a required field that specifies the string to use as the extra attribute key.\n\nkey must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. key must contain the '/' character, separating the domain and path characters. key must not be empty.\n\nThe domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. It must not exceed 253 characters in length. It must start and end with an alphanumeric character. It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, \"kubernetes.io\", \"k8s.io\", and \"openshift.io\".\n\nThe path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length.", @@ -445,12 +517,13 @@ func (OIDCClientStatus) SwaggerDoc() map[string]string { } var map_OIDCProvider = map[string]string{ - "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", - "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", - "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", - "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", - "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", - "userValidationRules": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.", + "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", + "userValidationRules": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.", + "externalClaimsSources": "externalClaimsSources is an optional field that can be used to configure sources, external to the token provided in a request, in which claims should be fetched from and made available to the claim mapping process that is used to build the identity of a token holder.\n\nFor example, fetching additional user metadata from an OIDC provider's UserInfo endpoint.\n\nWhen not specified, only claims present in the token itself will be available in the claim mapping process.\n\nWhen specified, at least one external claim source must be specified and no more than 5 sources may be specified. All external claim sources must have unique claim mappings. When an external source responds and resolves additional claims successfully, they will be made available as claims during the claim mapping process. Externally sourced claims with the same name as a claim existing within the token will overwrite the claim data from the token with the externally sourced information. If an external source does not respond, responds with an error, or the additional claim data cannot be resolved from the response successfully it will not be included in the claim data passed to the claim mapping process.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -466,6 +539,26 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { return map_PrefixedClaimMapping } +var map_SourceURL = map[string]string{ + "": "SourceURL configures the options used to build the URL that is queried for external claims.", + "hostname": "hostname is a required hostname for which the external claims are located.\n\nIt must be a valid DNS subdomain name as per RFC1123.\n\nThis means that it must start and end with a lowercase alphanumeric character, must only consist of lowercase alphanumeric characters, '-', and '.'. hostname may optionally specify a port in the format ':{port}'. If a port is specified it must not exceed 65535.\n\nhostname must be at least 1 character in length. When specifying a port, hostname must not exceed 259 characters in length. When not specifying a port, hostname must not exceed 253 characters in length.", + "pathExpression": "pathExpression is a required CEL expression that returns a list of string values used to construct the URL path. Claims from the token used for the request to the kube-apiserver are made available via the `claims` variable. expression must be at least 1 character in length and must not exceed 1024 characters in length.\n\nValues in the returned list will be joined with the hostname using a forward slash (`/`) as a separator. Values in the returned list do not need to include the forward slash. If a forward slash is included in a returned value, it will be encoded as `%2F`.\n\nExample of a static path configuration:\n\n pathExpression: ['realms', 'k8s', 'protocol', 'openid-connect', 'userinfo']\n\nThe above example would resolve to the path: '/realms/k8s/protocol/openid-connect/userinfo'\n\nExample of a dynamic path configuration:\n\n pathExpression: \"['admin', 'realms', 'k8s', 'users'] + [claims.sub] + ['groups']\"\n\nAssuming 'claims.sub' is set to '12345', the above example would resolve to the path: '/admin/realms/k8s/users/12345/groups'", +} + +func (SourceURL) SwaggerDoc() map[string]string { + return map_SourceURL +} + +var map_SourcedClaimMapping = map[string]string{ + "": "SourcedClaimMapping configures the mapping behavior for a single external claim from the response the apiserver received from the external claim source.", + "name": "name is a required name of the claim that will be produced and made available during the claim-to-identity mapping process. name must consist of only lowercase alpha characters and underscores ('_'). name must be at least 1 character and must not exceed 256 characters in length.", + "expression": "expression is a required CEL expression that will produce a value to be assigned to the claim. The full response body from the request to the external claim source is provided via the `response.body` variable.\n\nThe contents of the `response.body` variable varies based on the response received from the external source. It is the responsibility of those configuring this expression to understand what is returned from the external source.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", +} + +func (SourcedClaimMapping) SwaggerDoc() map[string]string { + return map_SourcedClaimMapping +} + var map_TokenClaimMapping = map[string]string{ "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", "claim": "claim is an optional field for specifying the JWT token claim that is used in the mapping. The value of this claim will be assigned to the field in which this mapping is associated. claim must not exceed 256 characters in length. When set to the empty string `\"\"`, this means that no named claim should be used for the group mapping. claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled.", @@ -3071,6 +3164,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", + "groups": "groups is an optional, ordered field used to specify the supported groups (formerly known as elliptic curves) that are used during the TLS handshake. The order of the groups represents a suggested preference, with the most preferred group first. Note that not all platform components honor the ordering: Go-based components use Go's internal preference order and treat this list as a filter of allowed groups rather than an ordered preference. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one and at most 7 groups, and each group must be unique.\n\nFor example, to use X25519 and secp256r1 (yaml):\n\n groups:\n - X25519\n - secp256r1", "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", } @@ -3080,11 +3174,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", - "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", - "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", - "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", - "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", + "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe cipher and groups lists in these profiles are based on version 5.8 of the Mozilla Server Side TLS configuration guidelines. See: https://ssl-config.mozilla.org/guidelines/5.8.json\n\nThe groups are listed in suggested preference order, with the most preferred group first. Note that not all platform components honor the ordering: Go-based components use Go's internal preference order and treat this list as a filter of allowed groups rather than an ordered preference. Note that X25519MLKEM768 is a post-quantum hybrid group that is not FIPS-approved and should be ignored by components running in FIPS mode.\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", + "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic.\n\nThe supported groups list for this profile is empty by default.\n\nAn example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } func (TLSSecurityProfile) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go index b532c84602..ca2f0216a9 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go @@ -158,6 +158,12 @@ type ClusterMonitoringSpec struct { // When set, at least one field must be specified within monitoringPluginConfig. // +optional MonitoringPluginConfig MonitoringPluginConfig `json:"monitoringPluginConfig,omitempty,omitzero"` + // kubeStateMetricsConfig is an optional field that can be used to configure the kube-state-metrics + // agent that runs in the openshift-monitoring namespace. kube-state-metrics generates metrics about + // the state of Kubernetes objects such as Deployments, Nodes, and Pods. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // +optional + KubeStateMetricsConfig KubeStateMetricsConfig `json:"kubeStateMetricsConfig,omitempty,omitzero"` } // OpenShiftStateMetricsConfig provides configuration options for the openshift-state-metrics agent @@ -796,12 +802,43 @@ type AlertmanagerConfig struct { CustomConfig AlertmanagerCustomConfig `json:"customConfig,omitempty,omitzero"` } +// UserAlertmanagerConfigSelection controls whether the platform Alertmanager selects +// AlertmanagerConfig resources from user-defined namespaces. +// +enum +type UserAlertmanagerConfigSelection string + +const ( + // UserAlertmanagerConfigSelectionSelectable enables user-defined namespaces to be selected + // for AlertmanagerConfig lookups on the platform Alertmanager. + UserAlertmanagerConfigSelectionSelectable UserAlertmanagerConfigSelection = "Selectable" + // UserAlertmanagerConfigSelectionNone disables user-defined namespaces from being selected + // for AlertmanagerConfig lookups on the platform Alertmanager. + UserAlertmanagerConfigSelectionNone UserAlertmanagerConfigSelection = "None" +) + // AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. // alertmanagerCustomConfig provides configuration options for the default Alertmanager instance // that runs in the `openshift-monitoring` namespace. Use this configuration to control -// whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled. +// whether user-defined namespaces are selected for AlertmanagerConfig lookups, how it logs, +// and how its pods are scheduled. // +kubebuilder:validation:MinProperties=1 type AlertmanagerCustomConfig struct { + // userAlertmanagerConfigSelection is an optional field that controls whether user-defined + // namespaces can be selected for AlertmanagerConfig lookups on the platform Alertmanager + // instance in the `openshift-monitoring` namespace. + // Valid values are Selectable and None. + // When set to Selectable, the platform Alertmanager discovers AlertmanagerConfig resources + // in user-defined namespaces. This is equivalent to `enableUserAlertmanagerConfig: true` in + // the cluster-monitoring-config ConfigMap. + // When set to None, user-defined namespaces are not selected for AlertmanagerConfig lookups + // on the platform Alertmanager. This is equivalent to `enableUserAlertmanagerConfig: false` + // in the cluster-monitoring-config ConfigMap. + // This setting only applies when the user-workload monitoring Alertmanager is not enabled. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is `None`. + // +optional + // +kubebuilder:validation:Enum=Selectable;None + UserAlertmanagerConfigSelection UserAlertmanagerConfigSelection `json:"userAlertmanagerConfigSelection,omitempty"` // logLevel defines the verbosity of logs emitted by Alertmanager. // This field allows users to control the amount and severity of logs generated, which can be useful // for debugging issues or reducing noise in production environments. @@ -1340,7 +1377,7 @@ type PrometheusConfig struct { // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // retention configures how long Prometheus retains metrics data and how much storage it can use. - // When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + // When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). // +optional Retention Retention `json:"retention,omitempty,omitzero"` // tolerations defines tolerations for the pods. @@ -2235,26 +2272,63 @@ type SecretKeySelector struct { // Retention configures how long Prometheus retains metrics data and how much storage it can use. // +kubebuilder:validation:MinProperties=1 type Retention struct { + // TOMBSTONE: This field has been tombstoned in favor of the `duration` field. This tombstone will be dropped when promoting this API to v1. + // --- // durationInDays specifies how many days Prometheus will retain metrics data. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // The default value is 15. // Minimum value is 1 day. // Maximum value is 365 days (1 year). - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=365 - // +optional - DurationInDays int32 `json:"durationInDays,omitempty"` + // Former marker: kubebuilder:validation:Minimum=1 + // Former marker: kubebuilder:validation:Maximum=365 + // Former marker: optional + // DurationInDays int32 `json:"durationInDays,omitempty"` + + // TOMBSTONE: This field has been tombstoned in favor of the `size` field. This tombstone will be dropped when promoting this API to v1. + // --- // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus // can use for data blocks and the write-ahead log (WAL). // When the limit is reached, Prometheus will delete oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. // Minimum value is 1 GiB. // Maximum value is 16384 GiB (16 TiB). - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=16384 + // Former marker: kubebuilder:validation:Minimum=1 + // Former marker: kubebuilder:validation:Maximum=16384 + // Former marker: optional + // SizeInGiB int32 `json:"sizeInGiB,omitempty"` + + // duration is an optional field that specifies how long Prometheus retains metrics data. + // Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms + // (for example, "15d", "24h", or "5d1h30m"). Each unit value must be a positive integer. + // Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. + // Must be at least 1 character and at most 64 characters. + // When set to "0", time-based retention is disabled. This is the only supported form for disabling + // time-based retention; other zero-duration representations such as "0d", "0h", or "0y" are rejected. + // Prometheus automatically deletes data older than this duration. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is `15d`. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=64 + // +kubebuilder:validation:XValidation:rule=`self == "0" || self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$')`,message=`must be "0" to disable time-based retention, or a duration string with only positive unit values` + // +optional + Duration string `json:"duration,omitempty"` + + // size is an optional field that specifies the maximum storage size that Prometheus + // can use for data blocks and the write-ahead log (WAL). + // Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, + // TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). + // The numeric value must be greater than zero. + // Must be at least 1 character and at most 32 characters. + // When set to "0", no size limit is enforced. This is the only supported form for disabling size-based + // retention; other zero-size representations such as "0B" or "0MiB" are rejected. + // When the limit is reached, Prometheus deletes oldest data first. + // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=32 + // +kubebuilder:validation:XValidation:rule=`self == "0" || self.matches('^([1-9][0-9]*([.][0-9]+)?|[0-9]*[.][1-9][0-9]*)((K|M|G|T|E|P)i?)?B$')`,message=`must be "0" to disable size-based retention, or a positive byte-size string` // +optional - SizeInGiB int32 `json:"sizeInGiB,omitempty"` + Size string `json:"size,omitempty"` } // RelabelAction defines the action to perform in a relabeling rule. @@ -2377,6 +2451,34 @@ type TelemeterClientConfig struct { // At least one field must be specified; an empty thanosQuerierConfig object is not allowed. // +kubebuilder:validation:MinProperties=1 type ThanosQuerierConfig struct { + // logLevel defines the verbosity of logs emitted by Thanos Querier. + // logLevel is optional. + // Allowed values are Error, Warn, Info, and Debug. + // When set to Error, only errors will be logged. + // When set to Warn, both warnings and errors will be logged. + // When set to Info, general information, warnings, and errors will all be logged. + // When set to Debug, detailed debugging information will be logged. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is `Info`. + // +optional + LogLevel LogLevel `json:"logLevel,omitempty"` + // requestLogging configures request logging for Thanos Querier. + // requestLogging is optional. + // When provided, the policy field within is required. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default behavior is to not log any requests. + // +optional + RequestLogging ThanosQuerierRequestLoggingConfig `json:"requestLogging,omitempty,omitzero"` + // crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy + // for Thanos Querier's HTTP endpoints. + // crossOriginRequestPolicy is optional. + // Valid values are "AllowAll" and "DenyAll". + // When set to "AllowAll", CORS headers are added to responses, allowing cross-origin requests from any domain. + // When set to "DenyAll", no CORS headers are added and cross-origin requests are rejected by the browser. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is "DenyAll". + // +optional + CrossOriginRequestPolicy CrossOriginRequestPolicy `json:"crossOriginRequestPolicy,omitempty"` // nodeSelector defines the nodes on which the Pods are scheduled. // nodeSelector is optional. // @@ -2445,6 +2547,42 @@ type ThanosQuerierConfig struct { TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` } +// ThanosQuerierRequestLoggingConfig configures request logging for Thanos Querier. +type ThanosQuerierRequestLoggingConfig struct { + // policy determines which HTTP and gRPC requests are logged by Thanos Querier. + // Valid values are "AllRequests" and "NoRequests". + // When set to "AllRequests", every request received by Thanos Querier is logged with method, path, and response status. + // The log level for request logs is derived from the logLevel field. + // When set to "NoRequests", request logging is turned off. + // +required + Policy RequestLoggingPolicy `json:"policy,omitempty"` +} + +// RequestLoggingPolicy controls which HTTP and gRPC requests are logged. +// Valid values are "AllRequests" and "NoRequests". +// +kubebuilder:validation:Enum=AllRequests;NoRequests +type RequestLoggingPolicy string + +const ( + // RequestLoggingPolicyAllRequests enables logging of all incoming requests. + RequestLoggingPolicyAllRequests RequestLoggingPolicy = "AllRequests" + // RequestLoggingPolicyNoRequests disables request logging. + RequestLoggingPolicyNoRequests RequestLoggingPolicy = "NoRequests" +) + +// CrossOriginRequestPolicy controls the CORS (Cross-Origin Resource Sharing) policy +// for Thanos Querier's HTTP endpoints. +// Valid values are "AllowAll" and "DenyAll". +// +kubebuilder:validation:Enum=AllowAll;DenyAll +type CrossOriginRequestPolicy string + +const ( + // CrossOriginRequestPolicyAllowAll sets CORS headers allowing requests from any origin. + CrossOriginRequestPolicyAllowAll CrossOriginRequestPolicy = "AllowAll" + // CrossOriginRequestPolicyDenyAll does not set CORS headers, rejecting cross-origin requests. + CrossOriginRequestPolicyDenyAll CrossOriginRequestPolicy = "DenyAll" +) + // AuditProfile defines the audit log level for the Metrics Server. // +kubebuilder:validation:Enum=None;Metadata;Request;RequestResponse type AuditProfile string @@ -2510,3 +2648,154 @@ type Audit struct { // +required Profile AuditProfile `json:"profile,omitempty"` } + +// KubeStateMetricsConfig provides configuration options for the kube-state-metrics agent +// that runs in the `openshift-monitoring` namespace. kube-state-metrics generates metrics +// about the state of Kubernetes objects such as Deployments, Nodes, and Pods. +// +kubebuilder:validation:MinProperties=1 +type KubeStateMetricsConfig struct { + // nodeSelector defines the nodes on which the Pods are scheduled. + // nodeSelector is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // The current default value is `kubernetes.io/os: linux`. + // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + // +optional + // +kubebuilder:validation:MinProperties=1 + // +kubebuilder:validation:MaxProperties=10 + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + // resources defines the compute resource requests and limits for the kube-state-metrics container. + // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + // When not specified, defaults are used by the platform. Requests cannot exceed limits. + // This field is optional. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. + // The current default values are: + // resources: + // - name: cpu + // request: 4m + // limit: null + // - name: memory + // request: 40Mi + // limit: null + // Maximum length for this list is 5. + // Minimum length for this list is 1. + // Each resource name must be unique within this list. + // +optional + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=5 + // +kubebuilder:validation:MinItems=1 + Resources []ContainerResource `json:"resources,omitempty"` + // tolerations defines tolerations for the pods. + // tolerations is optional. + // + // When omitted, no tolerations are applied. This default is subject to change over time. + // When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries. + // Each toleration's operator, when specified, must be either "Exists" or "Equal". + // Each toleration's effect, when specified, must be one of "NoSchedule", "PreferNoSchedule", or "NoExecute". + // An empty or unset effect means match all effects. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=atomic + // +kubebuilder:validation:XValidation:rule="self.all(t, !has(t.operator) || t.operator == 'Exists' || t.operator == 'Equal')",message="operator must be either Exists or Equal" + // +kubebuilder:validation:XValidation:rule="self.all(t, !has(t.effect) || t.effect == 'NoSchedule' || t.effect == 'PreferNoSchedule' || t.effect == 'NoExecute' || t.effect == '')",message="effect must be NoSchedule, PreferNoSchedule, NoExecute, or empty" + // +optional + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + // topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed + // across topology domains such as zones, nodes, or other user-defined labels. + // topologySpreadConstraints is optional. + // This helps improve high availability and resource efficiency by avoiding placing + // too many replicas in the same failure domain. + // + // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + // When omitted, no topology spread constraints are applied. This default is subject to change over time. + // When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. + // Entries must have unique topologyKey and whenUnsatisfiable pairs. + // Each entry's whenUnsatisfiable must be either "DoNotSchedule" or "ScheduleAnyway". + // Each entry's maxSkew must be at least 1. + // When minDomains is specified, it must be at least 1 and whenUnsatisfiable must be "DoNotSchedule". + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + // +kubebuilder:validation:XValidation:rule="self.all(c, c.whenUnsatisfiable == 'DoNotSchedule' || c.whenUnsatisfiable == 'ScheduleAnyway')",message="whenUnsatisfiable must be either DoNotSchedule or ScheduleAnyway" + // +kubebuilder:validation:XValidation:rule="self.all(c, c.maxSkew >= 1)",message="maxSkew must be at least 1" + // +kubebuilder:validation:XValidation:rule="self.all(c, !has(c.minDomains) || c.minDomains >= 1)",message="minDomains must be at least 1" + // +kubebuilder:validation:XValidation:rule="self.all(c, !has(c.minDomains) || c.whenUnsatisfiable == 'DoNotSchedule')",message="minDomains can only be used when whenUnsatisfiable is DoNotSchedule" + // +optional + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` + // additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics + // in kube-state-metrics. + // Currently, only "Job" and "CronJob" resources are supported due to cardinality concerns. + // Each entry specifies a resource name and a list of Kubernetes label names to expose. + // Use "*" in the labels list to expose all labels for a given resource. + // additionalResourceLabels is optional. + // When omitted, no additional Kubernetes object labels are exposed as metrics + // by kube-state-metrics beyond its built-in metric labels (e.g. namespace, job_name). + // Use this field to opt in to exposing specific Kubernetes labels as metric labels + // for the supported resource types. + // Minimum length for this list is 1. + // Maximum length for this list is 2. + // Each resource name must be unique within this list. + // +optional + // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=resource + AdditionalResourceLabels []KubeStateMetricsResourceLabels `json:"additionalResourceLabels,omitempty"` +} + +// KubeStateMetricsResourceName is the name of a Kubernetes resource whose labels can be exposed +// as metrics by kube-state-metrics. Currently, only "Job" and "CronJob" are supported +// due to cardinality concerns. +// Valid values are "Job" and "CronJob". +// +kubebuilder:validation:Enum=Job;CronJob +type KubeStateMetricsResourceName string + +const ( + // KubeStateMetricsResourceJob indicates the Kubernetes Job resource. + KubeStateMetricsResourceJob KubeStateMetricsResourceName = "Job" + // KubeStateMetricsResourceCronJob indicates the Kubernetes CronJob resource. + KubeStateMetricsResourceCronJob KubeStateMetricsResourceName = "CronJob" +) + +// KubeStateMetricsLabelName is the name of a Kubernetes label to expose as a metric +// via kube-state-metrics. Use "*" to expose all labels for a resource. +// Must be either the wildcard "*" or a valid Kubernetes label key. +// A valid label key has an optional DNS subdomain prefix followed by a "/" and a name segment, +// or just a name segment without a prefix. The name segment must be 63 characters or fewer, +// beginning and ending with an alphanumeric character, with dashes, underscores, dots, and +// alphanumerics in between. +// Must be at least 1 character and at most 253 characters in length. +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=253 +// +kubebuilder:validation:XValidation:rule="self == '*' || !format.qualifiedName().validate(self).hasValue()",message="must be a valid Kubernetes label key or the wildcard '*'" +type KubeStateMetricsLabelName string + +// KubeStateMetricsResourceLabels defines which Kubernetes labels to expose as metrics +// for a given resource type in kube-state-metrics. +type KubeStateMetricsResourceLabels struct { + // resource is the Kubernetes resource name whose labels should be exposed as metrics. + // Currently, only "Job" and "CronJob" are supported due to cardinality concerns. + // Valid values are "Job" and "CronJob". + // This field is required. + // +required + Resource KubeStateMetricsResourceName `json:"resource,omitempty"` + // labels is the list of Kubernetes label names to expose as metrics for this resource. + // Use "*" to expose all labels for the specified resource. + // When "*" is specified, it must be the only entry in the list; mixing "*" with + // specific label names is not allowed. + // This field is required. + // Each label name must be unique within this list. + // Minimum length for this list is 1. + // Maximum length for this list is 50. + // +required + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=50 + // +listType=set + // +kubebuilder:validation:XValidation:rule="!self.exists(l, l == '*') || self.size() == 1",message="when '*' is specified, no other labels may be listed" + Labels []KubeStateMetricsLabelName `json:"labels,omitempty"` +} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index efc8bf3399..7313338a3b 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -451,6 +451,7 @@ func (in *ClusterMonitoringSpec) DeepCopyInto(out *ClusterMonitoringSpec) { in.ThanosQuerierConfig.DeepCopyInto(&out.ThanosQuerierConfig) in.NodeExporterConfig.DeepCopyInto(&out.NodeExporterConfig) in.MonitoringPluginConfig.DeepCopyInto(&out.MonitoringPluginConfig) + in.KubeStateMetricsConfig.DeepCopyInto(&out.KubeStateMetricsConfig) return } @@ -751,6 +752,78 @@ func (in *KeyConfig) DeepCopy() *KeyConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeStateMetricsConfig) DeepCopyInto(out *KubeStateMetricsConfig) { + *out = *in + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]ContainerResource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.TopologySpreadConstraints != nil { + in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints + *out = make([]v1.TopologySpreadConstraint, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.AdditionalResourceLabels != nil { + in, out := &in.AdditionalResourceLabels, &out.AdditionalResourceLabels + *out = make([]KubeStateMetricsResourceLabels, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeStateMetricsConfig. +func (in *KubeStateMetricsConfig) DeepCopy() *KubeStateMetricsConfig { + if in == nil { + return nil + } + out := new(KubeStateMetricsConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeStateMetricsResourceLabels) DeepCopyInto(out *KubeStateMetricsResourceLabels) { + *out = *in + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make([]KubeStateMetricsLabelName, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeStateMetricsResourceLabels. +func (in *KubeStateMetricsResourceLabels) DeepCopy() *KubeStateMetricsResourceLabels { + if in == nil { + return nil + } + out := new(KubeStateMetricsResourceLabels) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Label) DeepCopyInto(out *Label) { *out = *in @@ -1954,6 +2027,7 @@ func (in *TelemeterClientConfig) DeepCopy() *TelemeterClientConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ThanosQuerierConfig) DeepCopyInto(out *ThanosQuerierConfig) { *out = *in + out.RequestLogging = in.RequestLogging if in.NodeSelector != nil { in, out := &in.NodeSelector, &out.NodeSelector *out = make(map[string]string, len(*in)) @@ -1995,6 +2069,22 @@ func (in *ThanosQuerierConfig) DeepCopy() *ThanosQuerierConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ThanosQuerierRequestLoggingConfig) DeepCopyInto(out *ThanosQuerierRequestLoggingConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThanosQuerierRequestLoggingConfig. +func (in *ThanosQuerierRequestLoggingConfig) DeepCopy() *ThanosQuerierRequestLoggingConfig { + if in == nil { + return nil + } + out := new(ThanosQuerierRequestLoggingConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UppercaseActionConfig) DeepCopyInto(out *UppercaseActionConfig) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 8c79eb0678..2194d79def 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -106,14 +106,15 @@ func (AlertmanagerConfig) SwaggerDoc() map[string]string { } var map_AlertmanagerCustomConfig = map[string]string{ - "": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", - "logLevel": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", - "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", - "secrets": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", - "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", - "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", - "volumeClaimTemplate": "volumeClaimTemplate defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class and volume size. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts.", + "": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether user-defined namespaces are selected for AlertmanagerConfig lookups, how it logs, and how its pods are scheduled.", + "userAlertmanagerConfigSelection": "userAlertmanagerConfigSelection is an optional field that controls whether user-defined namespaces can be selected for AlertmanagerConfig lookups on the platform Alertmanager instance in the `openshift-monitoring` namespace. Valid values are Selectable and None. When set to Selectable, the platform Alertmanager discovers AlertmanagerConfig resources in user-defined namespaces. This is equivalent to `enableUserAlertmanagerConfig: true` in the cluster-monitoring-config ConfigMap. When set to None, user-defined namespaces are not selected for AlertmanagerConfig lookups on the platform Alertmanager. This is equivalent to `enableUserAlertmanagerConfig: false` in the cluster-monitoring-config ConfigMap. This setting only applies when the user-workload monitoring Alertmanager is not enabled. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `None`.", + "logLevel": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", + "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", + "secrets": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", + "volumeClaimTemplate": "volumeClaimTemplate defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class and volume size. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts.", } func (AlertmanagerCustomConfig) SwaggerDoc() map[string]string { @@ -183,6 +184,7 @@ var map_ClusterMonitoringSpec = map[string]string{ "thanosQuerierConfig": "thanosQuerierConfig is an optional field that can be used to configure the Thanos Querier component that runs in the openshift-monitoring namespace. The Thanos Querier provides a global query view by aggregating and deduplicating metrics from multiple Prometheus instances. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default deploys the Thanos Querier on linux nodes with 5m CPU and 12Mi memory requests, and no custom tolerations or topology spread constraints. When set, at least one field must be specified within thanosQuerierConfig.", "nodeExporterConfig": "nodeExporterConfig is an optional field that can be used to configure the node-exporter agent that runs as a DaemonSet in the openshift-monitoring namespace. The node-exporter agent collects hardware and OS-level metrics from every node in the cluster. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", "monitoringPluginConfig": "monitoringPluginConfig is an optional field that can be used to configure the monitoring plugin that runs as a dynamic plugin of the OpenShift web console. The monitoring plugin provides the monitoring UI in the OpenShift web console for visualizing metrics, alerts, and dashboards. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default deploys the monitoring-plugin as a single-replica Deployment on linux nodes with 10m CPU and 50Mi memory requests, and no custom tolerations or topology spread constraints. When set, at least one field must be specified within monitoringPluginConfig.", + "kubeStateMetricsConfig": "kubeStateMetricsConfig is an optional field that can be used to configure the kube-state-metrics agent that runs in the openshift-monitoring namespace. kube-state-metrics generates metrics about the state of Kubernetes objects such as Deployments, Nodes, and Pods. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", } func (ClusterMonitoringSpec) SwaggerDoc() map[string]string { @@ -236,6 +238,29 @@ func (KeepEqualActionConfig) SwaggerDoc() map[string]string { return map_KeepEqualActionConfig } +var map_KubeStateMetricsConfig = map[string]string{ + "": "KubeStateMetricsConfig provides configuration options for the kube-state-metrics agent that runs in the `openshift-monitoring` namespace. kube-state-metrics generates metrics about the state of Kubernetes objects such as Deployments, Nodes, and Pods.", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", + "resources": "resources defines the compute resource requests and limits for the kube-state-metrics container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, no tolerations are applied. This default is subject to change over time. When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries. Each toleration's operator, when specified, must be either \"Exists\" or \"Equal\". Each toleration's effect, when specified, must be one of \"NoSchedule\", \"PreferNoSchedule\", or \"NoExecute\". An empty or unset effect means match all effects.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nThis field maps directly to the `topologySpreadConstraints` field in the Pod spec. When omitted, no topology spread constraints are applied. This default is subject to change over time. When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. Entries must have unique topologyKey and whenUnsatisfiable pairs. Each entry's whenUnsatisfiable must be either \"DoNotSchedule\" or \"ScheduleAnyway\". Each entry's maxSkew must be at least 1. When minDomains is specified, it must be at least 1 and whenUnsatisfiable must be \"DoNotSchedule\".", + "additionalResourceLabels": "additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics in kube-state-metrics. Currently, only \"Job\" and \"CronJob\" resources are supported due to cardinality concerns. Each entry specifies a resource name and a list of Kubernetes label names to expose. Use \"*\" in the labels list to expose all labels for a given resource. additionalResourceLabels is optional. When omitted, no additional Kubernetes object labels are exposed as metrics by kube-state-metrics beyond its built-in metric labels (e.g. namespace, job_name). Use this field to opt in to exposing specific Kubernetes labels as metric labels for the supported resource types. Minimum length for this list is 1. Maximum length for this list is 2. Each resource name must be unique within this list.", +} + +func (KubeStateMetricsConfig) SwaggerDoc() map[string]string { + return map_KubeStateMetricsConfig +} + +var map_KubeStateMetricsResourceLabels = map[string]string{ + "": "KubeStateMetricsResourceLabels defines which Kubernetes labels to expose as metrics for a given resource type in kube-state-metrics.", + "resource": "resource is the Kubernetes resource name whose labels should be exposed as metrics. Currently, only \"Job\" and \"CronJob\" are supported due to cardinality concerns. Valid values are \"Job\" and \"CronJob\". This field is required.", + "labels": "labels is the list of Kubernetes label names to expose as metrics for this resource. Use \"*\" to expose all labels for the specified resource. When \"*\" is specified, it must be the only entry in the list; mixing \"*\" with specific label names is not allowed. This field is required. Each label name must be unique within this list. Minimum length for this list is 1. Maximum length for this list is 50.", +} + +func (KubeStateMetricsResourceLabels) SwaggerDoc() map[string]string { + return map_KubeStateMetricsResourceLabels +} + var map_Label = map[string]string{ "": "Label represents a key/value pair for external labels.", "key": "key is the name of the label. Prometheus supports UTF-8 label names, so any valid UTF-8 string is allowed. Must be between 1 and 128 characters in length.", @@ -504,7 +529,7 @@ var map_PrometheusConfig = map[string]string{ "queryLogFile": "queryLogFile specifies the file to which PromQL queries are logged. This setting can be either a filename, in which case the queries are saved to an `emptyDir` volume at `/var/log/prometheus`, or a full path to a location where an `emptyDir` volume will be mounted and the queries saved. Writing to `/dev/stderr`, `/dev/stdout` or `/dev/null` is supported, but writing to any other `/dev/` path is not supported. Relative paths are also not supported. By default, PromQL queries are not logged. Must be an absolute path starting with `/` or a simple filename without path separators. Must not contain consecutive slashes, end with a slash, or include '..' path traversal. Must contain only alphanumeric characters, '.', '_', '-', or '/'. Must be between 1 and 255 characters in length.", "remoteWrite": "remoteWrite defines the remote write configuration, including URL, authentication, and relabeling settings. Remote write allows Prometheus to send metrics it collects to external long-term storage systems. When omitted, no remote write endpoints are configured. When provided, at least one configuration must be specified (minimum 1, maximum 10 items). Entries must have unique names (name is the list key).", "resources": "resources defines the compute resource requests and limits for the Prometheus container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", - "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit).", + "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit).", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", "collectionProfile": "collectionProfile defines the metrics collection profile that Prometheus uses to collect metrics from the platform components. Supported values are `Full` or `Minimal`. In the `Full` profile (default), Prometheus collects all metrics that are exposed by the platform components. In the `Minimal` profile, Prometheus only collects metrics necessary for the default platform alerts, recording rules, telemetry and console dashboards. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is `Full`.", @@ -637,9 +662,9 @@ func (ReplaceActionConfig) SwaggerDoc() map[string]string { } var map_Retention = map[string]string{ - "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", - "durationInDays": "durationInDays specifies how many days Prometheus will retain metrics data. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", - "sizeInGiB": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", + "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", or \"5d1h30m\"). Each unit value must be a positive integer. Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. This is the only supported form for disabling time-based retention; other zero-duration representations such as \"0d\", \"0h\", or \"0y\" are rejected. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). The numeric value must be greater than zero. Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. This is the only supported form for disabling size-based retention; other zero-size representations such as \"0B\" or \"0MiB\" are rejected. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", } func (Retention) SwaggerDoc() map[string]string { @@ -696,6 +721,9 @@ func (TelemeterClientConfig) SwaggerDoc() map[string]string { var map_ThanosQuerierConfig = map[string]string{ "": "ThanosQuerierConfig provides configuration options for the Thanos Querier component that runs in the `openshift-monitoring` namespace. At least one field must be specified; an empty thanosQuerierConfig object is not allowed.", + "logLevel": "logLevel defines the verbosity of logs emitted by Thanos Querier. logLevel is optional. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", + "requestLogging": "requestLogging configures request logging for Thanos Querier. requestLogging is optional. When provided, the policy field within is required. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default behavior is to not log any requests.", + "crossOriginRequestPolicy": "crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy for Thanos Querier's HTTP endpoints. crossOriginRequestPolicy is optional. Valid values are \"AllowAll\" and \"DenyAll\". When set to \"AllowAll\", CORS headers are added to responses, allowing cross-origin requests from any domain. When set to \"DenyAll\", no CORS headers are added and cross-origin requests are rejected by the browser. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is \"DenyAll\".", "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", "resources": "resources defines the compute resource requests and limits for the Thanos Querier container. resources is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Requests cannot exceed limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 5m\n - name: memory\n request: 12Mi\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", @@ -706,6 +734,15 @@ func (ThanosQuerierConfig) SwaggerDoc() map[string]string { return map_ThanosQuerierConfig } +var map_ThanosQuerierRequestLoggingConfig = map[string]string{ + "": "ThanosQuerierRequestLoggingConfig configures request logging for Thanos Querier.", + "policy": "policy determines which HTTP and gRPC requests are logged by Thanos Querier. Valid values are \"AllRequests\" and \"NoRequests\". When set to \"AllRequests\", every request received by Thanos Querier is logged with method, path, and response status. The log level for request logs is derived from the logLevel field. When set to \"NoRequests\", request logging is turned off.", +} + +func (ThanosQuerierRequestLoggingConfig) SwaggerDoc() map[string]string { + return map_ThanosQuerierRequestLoggingConfig +} + var map_UppercaseActionConfig = map[string]string{ "": "UppercaseActionConfig configures the Uppercase action. Maps the concatenated source_labels to their upper case and writes to target_label. Requires Prometheus >= v2.36.0.", "targetLabel": "targetLabel is the label name where the upper-cased value is written. Must be between 1 and 128 characters in length.", diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index 750b68d62f..0b16169cfe 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -3,9 +3,14 @@ | ClientsAllowCBOR| | | | | | | | | | ClusterAPIInstall| | | | | | | | | | EventedPLEG| | | | | | | | | +| MachineAPIMigrationAzure| | | | | | | | | +| MachineAPIMigrationBareMetal| | | | | | | | | +| MachineAPIMigrationGCP| | | | | | | | | +| MachineAPIMigrationPowerVS| | | | | | | | | | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | | | | MultiArchInstallAzure| | | | | | | | | | ShortCertRotation| | | | | | | | | +| MutableTopology| | | | Enabled | | | | | | ClusterAPIComputeInstall| | | Enabled | Enabled | | | | | | ClusterAPIControlPlaneInstall| | | Enabled | Enabled | | | | | | ClusterUpdatePreflight| | | Enabled | Enabled | | | | | @@ -23,9 +28,7 @@ | NoRegistryClusterInstall| | | | Enabled | | | | Enabled | | OLMLifecycleAndCompatibility| | | | Enabled | | | | Enabled | | ProvisioningRequestAvailable| | | Enabled | Enabled | | | | | -| VSphereMultiVCenterDay2| | | Enabled | Enabled | | | | | | AWSClusterHostedDNS| | | Enabled | Enabled | | | Enabled | Enabled | -| AWSClusterHostedDNSInstall| | | Enabled | Enabled | | | Enabled | Enabled | | AWSDedicatedHosts| | | Enabled | Enabled | | | Enabled | Enabled | | AWSDualStackInstall| | | Enabled | Enabled | | | Enabled | Enabled | | AWSEuropeanSovereignCloudInstall| | | Enabled | Enabled | | | Enabled | Enabled | @@ -77,16 +80,19 @@ | NewOLMWebhookProviderOpenshiftServiceCA| | Enabled | | Enabled | | Enabled | | Enabled | | NoOverlayMode| | | Enabled | Enabled | | | Enabled | Enabled | | NutanixMultiSubnets| | | Enabled | Enabled | | | Enabled | Enabled | -| OSStreams| | | Enabled | Enabled | | | Enabled | Enabled | | OVNObservability| | | Enabled | Enabled | | | Enabled | Enabled | | OnPremDNSRecords| | | Enabled | Enabled | | | Enabled | Enabled | | SELinuxMount| | | Enabled | Enabled | | | Enabled | Enabled | | SignatureStores| | | Enabled | Enabled | | | Enabled | Enabled | | TLSAdherence| | | Enabled | Enabled | | | Enabled | Enabled | +| TLSGroupPreferences| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereMixedNodeEnv| | | Enabled | Enabled | | | Enabled | Enabled | +| VSphereMultiVCenterDay2| | | Enabled | Enabled | | | Enabled | Enabled | | VolumeGroupSnapshot| | | Enabled | Enabled | | | Enabled | Enabled | | AWSServiceLBNetworkSecurityGroup| | Enabled | Enabled | Enabled | | Enabled | Enabled | Enabled | +| OSStreams| | Enabled | Enabled | Enabled | | Enabled | Enabled | Enabled | +| AWSClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AzureClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AzureWorkloadIdentity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BootImageSkewEnforcement| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -106,6 +112,7 @@ | MutableCSINodeAllocatableCount| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | MutatingAdmissionPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | OpenShiftPodSecurityAdmission| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| RouteExternalCertificate| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ServiceAccountTokenNodeBinding| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerification| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerificationPKI| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index c17075aa86..1d0f9bcce4 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -178,6 +178,14 @@ var ( enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() + FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate"). + reportProblemsToJiraComponent("router"). + contactPerson("chiragkyal"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + mustRegister() + FeatureGateNetworkConnect = newFeatureGate("NetworkConnect"). reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("tssurya"). @@ -457,12 +465,12 @@ var ( mustRegister() FeatureGateOLMLifecycleAndCompatibility = newFeatureGate("OLMLifecycleAndCompatibility"). - reportProblemsToJiraComponent("olm"). - contactPerson("joelanford"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1991"). - enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). - mustRegister() + reportProblemsToJiraComponent("olm"). + contactPerson("joelanford"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1991"). + enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + mustRegister() FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). reportProblemsToJiraComponent("insights"). @@ -527,6 +535,34 @@ var ( enable(inDevPreviewNoUpgrade()). mustRegister() + FeatureGateMachineAPIMigrationAzure = newFeatureGate("MachineAPIMigrationAzure"). + reportProblemsToJiraComponent("Cloud Compute / Cluster API Providers"). + contactPerson("ddonati"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + mustRegister() + + FeatureGateMachineAPIMigrationBareMetal = newFeatureGate("MachineAPIMigrationBareMetal"). + reportProblemsToJiraComponent("Cloud Compute / BareMetal Provider"). + contactPerson("ddonati"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + mustRegister() + + FeatureGateMachineAPIMigrationGCP = newFeatureGate("MachineAPIMigrationGCP"). + reportProblemsToJiraComponent("Cloud Compute / Cluster API Providers"). + contactPerson("ddonati"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + mustRegister() + + FeatureGateMachineAPIMigrationPowerVS = newFeatureGate("MachineAPIMigrationPowerVS"). + reportProblemsToJiraComponent("Cloud Compute / IBM Provider"). + contactPerson("ddonati"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + mustRegister() + FeatureGateClusterAPIMachineManagement = newFeatureGate("ClusterAPIMachineManagement"). reportProblemsToJiraComponent("Cloud Compute / Cluster API Providers"). contactPerson("ddonati"). @@ -770,7 +806,7 @@ var ( contactPerson("vr4manta"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1961"). - enable(inDevPreviewNoUpgrade()). + enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup"). @@ -795,7 +831,7 @@ var ( contactPerson("barbacbd"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() FeatureGateGCPCustomAPIEndpointsInstall = newFeatureGate("GCPCustomAPIEndpointsInstall"). @@ -880,7 +916,8 @@ var ( contactPerson("pabrodri"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1874"). - enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + enable(inClusterProfile(SelfManaged), inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade(), inDefault(), inOKD()). + enable(inClusterProfile(Hypershift), inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). mustRegister() FeatureGateCRDCompatibilityRequirementOperator = newFeatureGate("CRDCompatibilityRequirementOperator"). @@ -976,4 +1013,20 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1908"). enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). mustRegister() + + FeatureGateTLSGroupPreferences = newFeatureGate("TLSGroupPreferences"). + reportProblemsToJiraComponent("Networking / router"). + contactPerson("davidesalerno"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1894"). + enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). + mustRegister() + + FeatureGateMutableTopology = newFeatureGate("MutableTopology"). + reportProblemsToJiraComponent("Mutable Topology"). + contactPerson("jaypoulz"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/2008"). + enable(inClusterProfile(SelfManaged), inDevPreviewNoUpgrade()). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go index 53b8962a28..a82089b9f7 100644 --- a/vendor/github.com/openshift/api/features/legacyfeaturegates.go +++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go @@ -83,6 +83,8 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "PrivateHostedZoneAWS", // never add to this list, if you think you have an exception ask @deads2k + "RouteExternalCertificate", + // never add to this list, if you think you have an exception ask @deads2k "SetEIPForNLBIngressController", // never add to this list, if you think you have an exception ask @deads2k "SignatureStores", diff --git a/vendor/github.com/openshift/api/operator/v1/types_authentication.go b/vendor/github.com/openshift/api/operator/v1/types_authentication.go index 7cc22d1e4e..4d0e9f6d68 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/operator/v1/types_authentication.go @@ -49,6 +49,11 @@ type OAuthAPIServerStatus struct { // +optional // +kubebuilder:validation:Minimum=0 LatestAvailableRevision int32 `json:"latestAvailableRevision,omitempty"` + + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + // +optional + // +openshift:enable:FeatureGate=KMSEncryption + EncryptionStatus KMSEncryptionStatus `json:"encryptionStatus,omitempty,omitzero"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/vendor/github.com/openshift/api/operator/v1/types_etcd.go b/vendor/github.com/openshift/api/operator/v1/types_etcd.go index 252f3b3990..f2f1131036 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_etcd.go +++ b/vendor/github.com/openshift/api/operator/v1/types_etcd.go @@ -42,11 +42,11 @@ type EtcdSpec struct { HardwareSpeed ControlPlaneHardwareSpeed `json:"controlPlaneHardwareSpeed"` // backendQuotaGiB sets the etcd backend storage size limit in gibibytes. - // The value should be an integer not less than 8 and not more than 32. + // The value should be an integer not less than 8 and not more than 16. // When not specified, the default value is 8. // +kubebuilder:default:=8 // +kubebuilder:validation:Minimum=8 - // +kubebuilder:validation:Maximum=32 + // +kubebuilder:validation:Maximum=16 // +kubebuilder:validation:XValidation:rule="self>=oldSelf",message="etcd backendQuotaGiB may not be decreased" // +openshift:enable:FeatureGate=EtcdBackendQuota // +default=8 diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go similarity index 100% rename from vendor/github.com/openshift/api/operator/v1/types_ingress.go rename to vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go diff --git a/vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go b/vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go new file mode 100644 index 0000000000..a5dcf7d334 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go @@ -0,0 +1,80 @@ +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +kubebuilder:validation:Enum=Healthy;Unhealthy;Error +type KMSPluginHealthStatus string + +const ( + KMSPluginHealthStatusHealthy KMSPluginHealthStatus = "Healthy" + + KMSPluginHealthStatusUnhealthy KMSPluginHealthStatus = "Unhealthy" + + KMSPluginHealthStatusError KMSPluginHealthStatus = "Error" +) + +// +openshift:compatibility-gen:level=1 +type KMSPluginHealthReport struct { + + // nodeName is the name of the node this instance of the plugin runs on. + // The combination of nodeName and keyId makes this health report unique. + // The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + // consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + // an alphanumeric character, and be at most 253 characters in length. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="nodeName must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" + // +required + NodeName string `json:"nodeName,omitempty"` + + // keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + // This is not a cryptographic key used to encrypt/decrypt any resources. + // The value must be between 1 and 512 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=512 + // +required + KeyId string `json:"keyId,omitempty"` + + // status contains a health indicator for the respective KMS plugin + // The field can have three states: healthy, unhealthy, error. + // With error and unhealthy containing additional information in Detail. + // +required + Status KMSPluginHealthStatus `json:"status,omitempty"` + + // lastCheckedTime is a timestamp of when the probe was last checked. + // +required + LastCheckedTime metav1.Time `json:"lastCheckedTime,omitempty"` + + // kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + // This is not a cryptographic key, but a unique representation of the KEK. + // The value must be between 1 and 1024 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +required + KEKId string `json:"kekId,omitempty"` + + // detail contains additional error/health information for the respective KMS plugin. + // When omitted, no additional error or health information is provided. + // When set, the value must be between 1 and 1024 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +optional + Detail string `json:"detail,omitempty"` +} + +// +openshift:compatibility-gen:level=1 +// +kubebuilder:validation:MinProperties=1 +type KMSEncryptionStatus struct { + // healthReports contains all KMS plugin health reports. + // When omitted, no health reports are available. + // Each entry must have a unique combination of nodeName and keyId. + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=200 + // +listType=map + // +listMapKey=nodeName + // +listMapKey=keyId + HealthReports []KMSPluginHealthReport `json:"healthReports,omitempty"` +} diff --git a/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go b/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go index 1461f11a12..31b0c201b4 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go +++ b/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go @@ -63,6 +63,11 @@ type KubeAPIServerStatus struct { // +optional // +listType=atomic ServiceAccountIssuers []ServiceAccountIssuerStatus `json:"serviceAccountIssuers,omitempty"` + + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + // +optional + // +openshift:enable:FeatureGate=KMSEncryption + EncryptionStatus KMSEncryptionStatus `json:"encryptionStatus,omitempty,omitzero"` } type ServiceAccountIssuerStatus struct { diff --git a/vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go b/vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go index a96e033cb7..c9d104ad2c 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go +++ b/vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go @@ -39,6 +39,11 @@ type OpenShiftAPIServerSpec struct { type OpenShiftAPIServerStatus struct { OperatorStatus `json:",inline"` + + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + // +optional + // +openshift:enable:FeatureGate=KMSEncryption + EncryptionStatus KMSEncryptionStatus `json:"encryptionStatus,omitempty,omitzero"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go index 3d3c8f4f82..b39071949a 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go @@ -338,7 +338,7 @@ func (in *AuthenticationSpec) DeepCopy() *AuthenticationSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthenticationStatus) DeepCopyInto(out *AuthenticationStatus) { *out = *in - out.OAuthAPIServer = in.OAuthAPIServer + in.OAuthAPIServer.DeepCopyInto(&out.OAuthAPIServer) in.OperatorStatus.DeepCopyInto(&out.OperatorStatus) return } @@ -2749,6 +2749,46 @@ func (in *IrreconcilableValidationOverrides) DeepCopy() *IrreconcilableValidatio return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSEncryptionStatus) DeepCopyInto(out *KMSEncryptionStatus) { + *out = *in + if in.HealthReports != nil { + in, out := &in.HealthReports, &out.HealthReports + *out = make([]KMSPluginHealthReport, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSEncryptionStatus. +func (in *KMSEncryptionStatus) DeepCopy() *KMSEncryptionStatus { + if in == nil { + return nil + } + out := new(KMSEncryptionStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSPluginHealthReport) DeepCopyInto(out *KMSPluginHealthReport) { + *out = *in + in.LastCheckedTime.DeepCopyInto(&out.LastCheckedTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSPluginHealthReport. +func (in *KMSPluginHealthReport) DeepCopy() *KMSPluginHealthReport { + if in == nil { + return nil + } + out := new(KMSPluginHealthReport) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeAPIServer) DeepCopyInto(out *KubeAPIServer) { *out = *in @@ -2838,6 +2878,7 @@ func (in *KubeAPIServerStatus) DeepCopyInto(out *KubeAPIServerStatus) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + in.EncryptionStatus.DeepCopyInto(&out.EncryptionStatus) return } @@ -4038,6 +4079,7 @@ func (in *NodeStatus) DeepCopy() *NodeStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OAuthAPIServerStatus) DeepCopyInto(out *OAuthAPIServerStatus) { *out = *in + in.EncryptionStatus.DeepCopyInto(&out.EncryptionStatus) return } @@ -4287,6 +4329,7 @@ func (in *OpenShiftAPIServerSpec) DeepCopy() *OpenShiftAPIServerSpec { func (in *OpenShiftAPIServerStatus) DeepCopyInto(out *OpenShiftAPIServerStatus) { *out = *in in.OperatorStatus.DeepCopyInto(&out.OperatorStatus) + in.EncryptionStatus.DeepCopyInto(&out.EncryptionStatus) return } diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index aaf0972908..9edb02ec6e 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -5,7 +5,8 @@ authentications.operator.openshift.io: CRDName: authentications.operator.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - KMSEncryption FilenameOperatorName: authentication FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_50" @@ -178,6 +179,7 @@ ingresscontrollers.operator.openshift.io: Category: "" FeatureGates: - IngressControllerDynamicConfigurationManager + - TLSGroupPreferences FilenameOperatorName: ingress FilenameOperatorOrdering: "00" FilenameRunLevel: "0000_50" @@ -221,6 +223,7 @@ kubeapiservers.operator.openshift.io: Category: coreoperators FeatureGates: - EventTTL + - KMSEncryption FilenameOperatorName: kube-apiserver FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_20" @@ -375,7 +378,8 @@ openshiftapiservers.operator.openshift.io: CRDName: openshiftapiservers.operator.openshift.io Capability: "" Category: coreoperators - FeatureGates: [] + FeatureGates: + - KMSEncryption FilenameOperatorName: openshift-apiserver FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_30" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index c3ed726028..038638551e 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -137,6 +137,7 @@ func (AuthenticationStatus) SwaggerDoc() map[string]string { var map_OAuthAPIServerStatus = map[string]string{ "latestAvailableRevision": "latestAvailableRevision is the latest revision used as suffix of revisioned secrets like encryption-config. A new revision causes a new deployment of pods.", + "encryptionStatus": "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", } func (OAuthAPIServerStatus) SwaggerDoc() map[string]string { @@ -798,7 +799,7 @@ func (EtcdList) SwaggerDoc() map[string]string { var map_EtcdSpec = map[string]string{ "controlPlaneHardwareSpeed": "HardwareSpeed allows user to change the etcd tuning profile which configures the latency parameters for heartbeat interval and leader election timeouts allowing the cluster to tolerate longer round-trip-times between etcd members. Valid values are \"\", \"Standard\" and \"Slower\".\n\t\"\" means no opinion and the platform is left to choose a reasonable default\n\twhich is subject to change without notice.", - "backendQuotaGiB": "backendQuotaGiB sets the etcd backend storage size limit in gibibytes. The value should be an integer not less than 8 and not more than 32. When not specified, the default value is 8.", + "backendQuotaGiB": "backendQuotaGiB sets the etcd backend storage size limit in gibibytes. The value should be an integer not less than 8 and not more than 16. When not specified, the default value is 8.", } func (EtcdSpec) SwaggerDoc() map[string]string { @@ -1296,6 +1297,27 @@ func (InsightsReport) SwaggerDoc() map[string]string { return map_InsightsReport } +var map_KMSEncryptionStatus = map[string]string{ + "healthReports": "healthReports contains all KMS plugin health reports. When omitted, no health reports are available. Each entry must have a unique combination of nodeName and keyId.", +} + +func (KMSEncryptionStatus) SwaggerDoc() map[string]string { + return map_KMSEncryptionStatus +} + +var map_KMSPluginHealthReport = map[string]string{ + "nodeName": "nodeName is the name of the node this instance of the plugin runs on. The combination of nodeName and keyId makes this health report unique. The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character, and be at most 253 characters in length.", + "keyId": "keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. This is not a cryptographic key used to encrypt/decrypt any resources. The value must be between 1 and 512 characters.", + "status": "status contains a health indicator for the respective KMS plugin The field can have three states: healthy, unhealthy, error. With error and unhealthy containing additional information in Detail.", + "lastCheckedTime": "lastCheckedTime is a timestamp of when the probe was last checked.", + "kekId": "kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. This is not a cryptographic key, but a unique representation of the KEK. The value must be between 1 and 1024 characters.", + "detail": "detail contains additional error/health information for the respective KMS plugin. When omitted, no additional error or health information is provided. When set, the value must be between 1 and 1024 characters.", +} + +func (KMSPluginHealthReport) SwaggerDoc() map[string]string { + return map_KMSPluginHealthReport +} + var map_KubeAPIServer = map[string]string{ "": "KubeAPIServer provides information to configure an operator to manage kube-apiserver.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1327,6 +1349,7 @@ func (KubeAPIServerSpec) SwaggerDoc() map[string]string { var map_KubeAPIServerStatus = map[string]string{ "serviceAccountIssuers": "serviceAccountIssuers tracks history of used service account issuers. The item without expiration time represents the currently used service account issuer. The other items represents service account issuers that were used previously and are still being trusted. The default expiration for the items is set by the platform and it defaults to 24h. see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection", + "encryptionStatus": "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", } func (KubeAPIServerStatus) SwaggerDoc() map[string]string { @@ -2080,6 +2103,14 @@ func (OpenShiftAPIServerList) SwaggerDoc() map[string]string { return map_OpenShiftAPIServerList } +var map_OpenShiftAPIServerStatus = map[string]string{ + "encryptionStatus": "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", +} + +func (OpenShiftAPIServerStatus) SwaggerDoc() map[string]string { + return map_OpenShiftAPIServerStatus +} + var map_OpenShiftControllerManager = map[string]string{ "": "OpenShiftControllerManager provides information to configure an operator to manage openshift-controller-manager.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/vendor/github.com/openshift/api/route/v1/generated.proto b/vendor/github.com/openshift/api/route/v1/generated.proto index 28f8c311ee..85018b16b7 100644 --- a/vendor/github.com/openshift/api/route/v1/generated.proto +++ b/vendor/github.com/openshift/api/route/v1/generated.proto @@ -411,7 +411,7 @@ message RouterShard { // TLSConfig defines config used to secure a route and provide termination // // +kubebuilder:validation:XValidation:rule="has(self.termination) && has(self.insecureEdgeTerminationPolicy) ? !((self.termination=='passthrough') && (self.insecureEdgeTerminationPolicy=='Allow')) : true", message="cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow" -// +kubebuilder:validation:XValidation:rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=RouteExternalCertificate,rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate" message TLSConfig { // termination indicates the TLS termination type. // @@ -464,6 +464,7 @@ message TLSConfig { // The router service account needs to be granted with read-only access to this secret, // please refer to openshift docs for additional details. // + // +openshift:enable:FeatureGate=RouteExternalCertificate // +optional optional LocalObjectReference externalCertificate = 7; } diff --git a/vendor/github.com/openshift/api/route/v1/types.go b/vendor/github.com/openshift/api/route/v1/types.go index 41f362fdf4..35c4064825 100644 --- a/vendor/github.com/openshift/api/route/v1/types.go +++ b/vendor/github.com/openshift/api/route/v1/types.go @@ -422,7 +422,7 @@ type RouterShard struct { // TLSConfig defines config used to secure a route and provide termination // // +kubebuilder:validation:XValidation:rule="has(self.termination) && has(self.insecureEdgeTerminationPolicy) ? !((self.termination=='passthrough') && (self.insecureEdgeTerminationPolicy=='Allow')) : true", message="cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow" -// +kubebuilder:validation:XValidation:rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=RouteExternalCertificate,rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate" type TLSConfig struct { // termination indicates the TLS termination type. // @@ -475,6 +475,7 @@ type TLSConfig struct { // The router service account needs to be granted with read-only access to this secret, // please refer to openshift docs for additional details. // + // +openshift:enable:FeatureGate=RouteExternalCertificate // +optional ExternalCertificate *LocalObjectReference `json:"externalCertificate,omitempty" protobuf:"bytes,7,opt,name=externalCertificate"` } diff --git a/vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml index 33666eba4b..0277ba2f32 100644 --- a/vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml @@ -4,7 +4,8 @@ routes.route.openshift.io: CRDName: routes.route.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - RouteExternalCertificate FilenameOperatorName: "" FilenameOperatorOrdering: "" FilenameRunLevel: "" diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go new file mode 100644 index 0000000000..c23f4d5307 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go @@ -0,0 +1,98 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// ClientCredentialConfigApplyConfiguration represents a declarative configuration of the ClientCredentialConfig type for use +// with apply. +// +// ClientCredentialConfig configures the client credentials and token endpoint +// to use to get an access token via the OAuth2 client credentials grant flow. +type ClientCredentialConfigApplyConfiguration struct { + // clientID is a required client identifier to use during the OAuth2 client credentials flow. + // clientID must be at least 1 character in length, must not exceed 256 characters in length, + // and must only contain printable ASCII characters. + ClientID *string `json:"clientID,omitempty"` + // clientSecret is a required reference to a Secret in the openshift-config namespace to be used + // as the client secret during the OAuth2 client credentials flow. + // + // The key 'client-secret' is used to locate the client secret data in the Secret. + ClientSecret *ClientSecretSecretReferenceApplyConfiguration `json:"clientSecret,omitempty"` + // tokenEndpoint is a required URL to query for an access token using + // the client credential OAuth2 flow. + // tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + // tokenEndpoint must be a valid HTTPS URL. + // tokenEndpoint must have a host and a path. + // tokenEndpoint must not contain query parameters, fragments, + // or user information (e.g., "user:password@host"). + TokenEndpoint *string `json:"tokenEndpoint,omitempty"` + // scopes is an optional list of OAuth2 scopes to request when obtaining + // an access token. + // + // If not specified, the token endpoint's default scopes + // will be used. + // + // When specified, there must be at least 1 entry and must not exceed 16 entries. + // Each entry must be at least 1 character in length and must not exceed 256 characters in length. + // Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + // Entries must be unique. + Scopes []configv1.OAuth2Scope `json:"scopes,omitempty"` + // tls is an optional field that allows configuring the TLS + // settings used to interact with the identity provider + // as an OAuth2 client. + // + // When omitted, system default TLS settings will be used + // for the OAuth2 client. + TLS *ExternalSourceTLSApplyConfiguration `json:"tls,omitempty"` +} + +// ClientCredentialConfigApplyConfiguration constructs a declarative configuration of the ClientCredentialConfig type for use with +// apply. +func ClientCredentialConfig() *ClientCredentialConfigApplyConfiguration { + return &ClientCredentialConfigApplyConfiguration{} +} + +// WithClientID sets the ClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientID field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithClientID(value string) *ClientCredentialConfigApplyConfiguration { + b.ClientID = &value + return b +} + +// WithClientSecret sets the ClientSecret field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientSecret field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithClientSecret(value *ClientSecretSecretReferenceApplyConfiguration) *ClientCredentialConfigApplyConfiguration { + b.ClientSecret = value + return b +} + +// WithTokenEndpoint sets the TokenEndpoint field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TokenEndpoint field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithTokenEndpoint(value string) *ClientCredentialConfigApplyConfiguration { + b.TokenEndpoint = &value + return b +} + +// WithScopes adds the given value to the Scopes field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Scopes field. +func (b *ClientCredentialConfigApplyConfiguration) WithScopes(values ...configv1.OAuth2Scope) *ClientCredentialConfigApplyConfiguration { + for i := range values { + b.Scopes = append(b.Scopes, values[i]) + } + return b +} + +// WithTLS sets the TLS field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TLS field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithTLS(value *ExternalSourceTLSApplyConfiguration) *ClientCredentialConfigApplyConfiguration { + b.TLS = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go new file mode 100644 index 0000000000..5b2a8fe03f --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ClientSecretSecretReferenceApplyConfiguration represents a declarative configuration of the ClientSecretSecretReference type for use +// with apply. +// +// ClientSecretSecretReference is a reference to a Secret in the openshift-config +// namespace that should be used for configuring the client secret to be +// used when sourcing claims from external sources with the client credential authentication flow. +type ClientSecretSecretReferenceApplyConfiguration struct { + // name is the required name of the Secret that exists in the openshift-config namespace. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + Name *string `json:"name,omitempty"` +} + +// ClientSecretSecretReferenceApplyConfiguration constructs a declarative configuration of the ClientSecretSecretReference type for use with +// apply. +func ClientSecretSecretReference() *ClientSecretSecretReferenceApplyConfiguration { + return &ClientSecretSecretReferenceApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ClientSecretSecretReferenceApplyConfiguration) WithName(value string) *ClientSecretSecretReferenceApplyConfiguration { + b.Name = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go index 7df6a4be9e..7b682ef205 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go @@ -31,6 +31,16 @@ func (b *CustomTLSProfileApplyConfiguration) WithCiphers(values ...string) *Cust return b } +// WithGroups adds the given value to the Groups field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Groups field. +func (b *CustomTLSProfileApplyConfiguration) WithGroups(values ...configv1.TLSGroup) *CustomTLSProfileApplyConfiguration { + for i := range values { + b.TLSProfileSpecApplyConfiguration.Groups = append(b.TLSProfileSpecApplyConfiguration.Groups, values[i]) + } + return b +} + // WithMinTLSVersion sets the MinTLSVersion field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the MinTLSVersion field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go new file mode 100644 index 0000000000..143544e7cd --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go @@ -0,0 +1,97 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalClaimsSourceApplyConfiguration represents a declarative configuration of the ExternalClaimsSource type for use +// with apply. +// +// ExternalClaimsSource provides the configuration for a single external claim source. +type ExternalClaimsSourceApplyConfiguration struct { + // authentication is an optional field that configures how the apiserver authenticates with an external claims source. + // When not specified, anonymous authentication is used which means no 'Authorization' header + // is sent in the HTTP request to fetch the external claims. + Authentication *ExternalSourceAuthenticationApplyConfiguration `json:"authentication,omitempty"` + // tls is an optional field that configures the http client TLS + // settings when fetching external claims from this source. + // + // When omitted, system default TLS settings will be used + // for fetching claims from the external source. + TLS *ExternalSourceTLSApplyConfiguration `json:"tls,omitempty"` + // url is a required configuration of the URL + // for which the external claims are located. + URL *SourceURLApplyConfiguration `json:"url,omitempty"` + // mappings is a required list of the claim + // and response handling expression pairs + // that produces the claims from the external source. + // mappings must have at least 1 entry and must not exceed 16 entries. + // Entries must have a unique name across all external claim sources. + Mappings []SourcedClaimMappingApplyConfiguration `json:"mappings,omitempty"` + // predicates is an optional list of constraints in + // which claims should attempt to be fetched from this + // external source. + // + // When omitted, claims are always fetched + // from this external source. + // + // When specified, all predicates must evaluate to 'true' + // before claims are attempted to be fetched from this external source. + // predicates must have at least 1 entry and must not exceed 16 entries. + // Entries must have unique expressions. + Predicates []ExternalSourcePredicateApplyConfiguration `json:"predicates,omitempty"` +} + +// ExternalClaimsSourceApplyConfiguration constructs a declarative configuration of the ExternalClaimsSource type for use with +// apply. +func ExternalClaimsSource() *ExternalClaimsSourceApplyConfiguration { + return &ExternalClaimsSourceApplyConfiguration{} +} + +// WithAuthentication sets the Authentication field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Authentication field is set to the value of the last call. +func (b *ExternalClaimsSourceApplyConfiguration) WithAuthentication(value *ExternalSourceAuthenticationApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + b.Authentication = value + return b +} + +// WithTLS sets the TLS field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TLS field is set to the value of the last call. +func (b *ExternalClaimsSourceApplyConfiguration) WithTLS(value *ExternalSourceTLSApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + b.TLS = value + return b +} + +// WithURL sets the URL field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the URL field is set to the value of the last call. +func (b *ExternalClaimsSourceApplyConfiguration) WithURL(value *SourceURLApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + b.URL = value + return b +} + +// WithMappings adds the given value to the Mappings field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Mappings field. +func (b *ExternalClaimsSourceApplyConfiguration) WithMappings(values ...*SourcedClaimMappingApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithMappings") + } + b.Mappings = append(b.Mappings, *values[i]) + } + return b +} + +// WithPredicates adds the given value to the Predicates field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Predicates field. +func (b *ExternalClaimsSourceApplyConfiguration) WithPredicates(values ...*ExternalSourcePredicateApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithPredicates") + } + b.Predicates = append(b.Predicates, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go new file mode 100644 index 0000000000..a2deb822e3 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go @@ -0,0 +1,57 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// ExternalSourceAuthenticationApplyConfiguration represents a declarative configuration of the ExternalSourceAuthentication type for use +// with apply. +// +// ExternalSourceAuthentication configures how the apiserver should attempt +// to authenticate with an external claims source. +type ExternalSourceAuthenticationApplyConfiguration struct { + // type is a required field that sets the type of + // authentication method used by the authenticator + // when fetching external claims. + // + // Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + // + // When set to 'RequestProvidedToken', the authenticator will + // use the token provided to the kube-apiserver as part of the + // request to authenticate with the external claims source. + // + // When set to 'ClientCredential', the authenticator will + // use the configured client-id, client-secret, and token endpoint + // to fetch an access token using the OAuth2 client credentials grant + // flow. The fetched access token will then be used to authenticate + // with the external claims source. + Type *configv1.ExternalSourceAuthenticationType `json:"type,omitempty"` + // clientCredential configures the client credentials + // and token endpoint to use to get an access token. + // clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + ClientCredential *ClientCredentialConfigApplyConfiguration `json:"clientCredential,omitempty"` +} + +// ExternalSourceAuthenticationApplyConfiguration constructs a declarative configuration of the ExternalSourceAuthentication type for use with +// apply. +func ExternalSourceAuthentication() *ExternalSourceAuthenticationApplyConfiguration { + return &ExternalSourceAuthenticationApplyConfiguration{} +} + +// WithType sets the Type field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Type field is set to the value of the last call. +func (b *ExternalSourceAuthenticationApplyConfiguration) WithType(value configv1.ExternalSourceAuthenticationType) *ExternalSourceAuthenticationApplyConfiguration { + b.Type = &value + return b +} + +// WithClientCredential sets the ClientCredential field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientCredential field is set to the value of the last call. +func (b *ExternalSourceAuthenticationApplyConfiguration) WithClientCredential(value *ClientCredentialConfigApplyConfiguration) *ExternalSourceAuthenticationApplyConfiguration { + b.ClientCredential = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go new file mode 100644 index 0000000000..f1fb64e745 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go @@ -0,0 +1,34 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration represents a declarative configuration of the ExternalSourceCertificateAuthorityConfigMapReference type for use +// with apply. +// +// ExternalSourceCertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config +// namespace that should be used for configuring the certificate authority to be +// used when sourcing claims from external sources. +type ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration struct { + // name is the required name of the ConfigMap that exists in the openshift-config namespace. + // The key "ca-bundle.crt" must be present and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + Name *string `json:"name,omitempty"` +} + +// ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration constructs a declarative configuration of the ExternalSourceCertificateAuthorityConfigMapReference type for use with +// apply. +func ExternalSourceCertificateAuthorityConfigMapReference() *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration { + return &ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration) WithName(value string) *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration { + b.Name = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go new file mode 100644 index 0000000000..ade172deeb --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go @@ -0,0 +1,43 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalSourcePredicateApplyConfiguration represents a declarative configuration of the ExternalSourcePredicate type for use +// with apply. +// +// ExternalSourcePredicate configures a singular condition +// that must return true before the external source is queried +// to retrieve external claims. +type ExternalSourcePredicateApplyConfiguration struct { + // expression is a required CEL expression that + // is used to determine whether or not an external + // source should be used to fetch external claims. + // + // The expression must return a boolean value, + // where true means that the source should be consulted + // and false means that it should not. + // + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // + // The contents of the `claims` variable varies based on the claims that are + // present in the token being validated. It is the responsibility of those configuring this + // field to understand what claims the identity provider includes when issuing tokens. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + Expression *string `json:"expression,omitempty"` +} + +// ExternalSourcePredicateApplyConfiguration constructs a declarative configuration of the ExternalSourcePredicate type for use with +// apply. +func ExternalSourcePredicate() *ExternalSourcePredicateApplyConfiguration { + return &ExternalSourcePredicateApplyConfiguration{} +} + +// WithExpression sets the Expression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Expression field is set to the value of the last call. +func (b *ExternalSourcePredicateApplyConfiguration) WithExpression(value string) *ExternalSourcePredicateApplyConfiguration { + b.Expression = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go new file mode 100644 index 0000000000..a0b84ad6d5 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go @@ -0,0 +1,30 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalSourceTLSApplyConfiguration represents a declarative configuration of the ExternalSourceTLS type for use +// with apply. +// +// ExternalSourceTLS configures the TLS options that the apiserver uses as a client +// when making a request to the external claim source. +type ExternalSourceTLSApplyConfiguration struct { + // certificateAuthority is a required reference to a ConfigMap in the openshift-config + // namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + // The key "ca-bundle.crt" must be present in the referenced ConfigMap and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + CertificateAuthority *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration `json:"certificateAuthority,omitempty"` +} + +// ExternalSourceTLSApplyConfiguration constructs a declarative configuration of the ExternalSourceTLS type for use with +// apply. +func ExternalSourceTLS() *ExternalSourceTLSApplyConfiguration { + return &ExternalSourceTLSApplyConfiguration{} +} + +// WithCertificateAuthority sets the CertificateAuthority field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CertificateAuthority field is set to the value of the last call. +func (b *ExternalSourceTLSApplyConfiguration) WithCertificateAuthority(value *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration) *ExternalSourceTLSApplyConfiguration { + b.CertificateAuthority = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go new file mode 100644 index 0000000000..1ccd980764 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go @@ -0,0 +1,33 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// NetworkObservabilitySpecApplyConfiguration represents a declarative configuration of the NetworkObservabilitySpec type for use +// with apply. +// +// NetworkObservabilitySpec defines the configuration for network observability installation +type NetworkObservabilitySpecApplyConfiguration struct { + // installationPolicy controls whether network observability is installed during cluster deployment. + // Valid values are "InstallAndEnable" and "NoAction". + // When set to "InstallAndEnable", ensure that network observability will be installed and enabled on the cluster. If already installed, no action taken, but if it gets uninstalled, it will install it again. + // When set to "NoAction", nothing will be done regarding Network observability. + InstallationPolicy *configv1.NetworkObservabilityInstallationPolicy `json:"installationPolicy,omitempty"` +} + +// NetworkObservabilitySpecApplyConfiguration constructs a declarative configuration of the NetworkObservabilitySpec type for use with +// apply. +func NetworkObservabilitySpec() *NetworkObservabilitySpecApplyConfiguration { + return &NetworkObservabilitySpecApplyConfiguration{} +} + +// WithInstallationPolicy sets the InstallationPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the InstallationPolicy field is set to the value of the last call. +func (b *NetworkObservabilitySpecApplyConfiguration) WithInstallationPolicy(value configv1.NetworkObservabilityInstallationPolicy) *NetworkObservabilitySpecApplyConfiguration { + b.InstallationPolicy = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go index 4a3f9b7b89..27e7480ecf 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go @@ -42,6 +42,10 @@ type NetworkSpecApplyConfiguration struct { // and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, // the network diagnostics feature will be disabled. NetworkDiagnostics *NetworkDiagnosticsApplyConfiguration `json:"networkDiagnostics,omitempty"` + // networkObservability is an optional field that configures network observability installation + // during cluster deployment (day-0). + // When omitted, unless this is a SNO cluster, network observability will be installed if not already present, after that, no action taken. + NetworkObservability *NetworkObservabilitySpecApplyConfiguration `json:"networkObservability,omitempty"` } // NetworkSpecApplyConfiguration constructs a declarative configuration of the NetworkSpec type for use with @@ -104,3 +108,11 @@ func (b *NetworkSpecApplyConfiguration) WithNetworkDiagnostics(value *NetworkDia b.NetworkDiagnostics = value return b } + +// WithNetworkObservability sets the NetworkObservability field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NetworkObservability field is set to the value of the last call. +func (b *NetworkSpecApplyConfiguration) WithNetworkObservability(value *NetworkObservabilitySpecApplyConfiguration) *NetworkSpecApplyConfiguration { + b.NetworkObservability = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go index 6f5a249a70..4fb1c97ebc 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go @@ -26,6 +26,27 @@ type OIDCProviderApplyConfiguration struct { // If any rule in the chain of rules evaluates to 'false', authentication will fail. // When specified, at least one rule must be specified and no more than 64 rules may be specified. UserValidationRules []TokenUserValidationRuleApplyConfiguration `json:"userValidationRules,omitempty"` + // externalClaimsSources is an optional field that can be used to configure + // sources, external to the token provided in a request, in which claims + // should be fetched from and made available to the claim mapping process + // that is used to build the identity of a token holder. + // + // For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + // + // When not specified, only claims present in the token itself will be available + // in the claim mapping process. + // + // When specified, at least one external claim source must be specified and no more than 5 + // sources may be specified. + // All external claim sources must have unique claim mappings. + // When an external source responds and resolves additional claims successfully, they will + // be made available as claims during the claim mapping process. + // Externally sourced claims with the same name as a claim existing within the token will + // overwrite the claim data from the token with the externally sourced information. + // If an external source does not respond, responds with an error, or the additional + // claim data cannot be resolved from the response successfully it will not be + // included in the claim data passed to the claim mapping process. + ExternalClaimsSources []ExternalClaimsSourceApplyConfiguration `json:"externalClaimsSources,omitempty"` } // OIDCProviderApplyConfiguration constructs a declarative configuration of the OIDCProvider type for use with @@ -96,3 +117,16 @@ func (b *OIDCProviderApplyConfiguration) WithUserValidationRules(values ...*Toke } return b } + +// WithExternalClaimsSources adds the given value to the ExternalClaimsSources field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the ExternalClaimsSources field. +func (b *OIDCProviderApplyConfiguration) WithExternalClaimsSources(values ...*ExternalClaimsSourceApplyConfiguration) *OIDCProviderApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithExternalClaimsSources") + } + b.ExternalClaimsSources = append(b.ExternalClaimsSources, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go new file mode 100644 index 0000000000..92c4dc24f7 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go @@ -0,0 +1,51 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// SourcedClaimMappingApplyConfiguration represents a declarative configuration of the SourcedClaimMapping type for use +// with apply. +// +// SourcedClaimMapping configures the mapping behavior for a single external claim +// from the response the apiserver received from the external claim source. +type SourcedClaimMappingApplyConfiguration struct { + // name is a required name of the claim that + // will be produced and made available during + // the claim-to-identity mapping process. + // name must consist of only lowercase alpha characters and underscores ('_'). + // name must be at least 1 character and must not exceed 256 characters in length. + Name *string `json:"name,omitempty"` + // expression is a required CEL expression that + // will produce a value to be assigned to the claim. + // The full response body from the request to the + // external claim source is provided via the + // `response.body` variable. + // + // The contents of the `response.body` variable varies based on the response received + // from the external source. It is the responsibility of those configuring + // this expression to understand what is returned from the external source. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + Expression *string `json:"expression,omitempty"` +} + +// SourcedClaimMappingApplyConfiguration constructs a declarative configuration of the SourcedClaimMapping type for use with +// apply. +func SourcedClaimMapping() *SourcedClaimMappingApplyConfiguration { + return &SourcedClaimMappingApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *SourcedClaimMappingApplyConfiguration) WithName(value string) *SourcedClaimMappingApplyConfiguration { + b.Name = &value + return b +} + +// WithExpression sets the Expression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Expression field is set to the value of the last call. +func (b *SourcedClaimMappingApplyConfiguration) WithExpression(value string) *SourcedClaimMappingApplyConfiguration { + b.Expression = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go new file mode 100644 index 0000000000..b94a89f39c --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go @@ -0,0 +1,67 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// SourceURLApplyConfiguration represents a declarative configuration of the SourceURL type for use +// with apply. +// +// SourceURL configures the options used to build the URL that is queried for external claims. +type SourceURLApplyConfiguration struct { + // hostname is a required hostname for which the external claims are located. + // + // It must be a valid DNS subdomain name as per RFC1123. + // + // This means that it must start and end with a lowercase alphanumeric character, + // must only consist of lowercase alphanumeric characters, '-', and '.'. + // hostname may optionally specify a port in the format ':{port}'. + // If a port is specified it must not exceed 65535. + // + // hostname must be at least 1 character in length. + // When specifying a port, hostname must not exceed 259 characters in length. + // When not specifying a port, hostname must not exceed 253 characters in length. + Hostname *string `json:"hostname,omitempty"` + // pathExpression is a required CEL expression that returns a list + // of string values used to construct the URL path. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must be at least 1 character in length and must not exceed 1024 characters in length. + // + // Values in the returned list will be joined with the hostname using a forward slash + // (`/`) as a separator. Values in the returned list do not need to include the forward slash. + // If a forward slash is included in a returned value, it will be encoded as `%2F`. + // + // Example of a static path configuration: + // + // pathExpression: ['realms', 'k8s', 'protocol', 'openid-connect', 'userinfo'] + // + // The above example would resolve to the path: '/realms/k8s/protocol/openid-connect/userinfo' + // + // Example of a dynamic path configuration: + // + // pathExpression: "['admin', 'realms', 'k8s', 'users'] + [claims.sub] + ['groups']" + // + // Assuming 'claims.sub' is set to '12345', the above example would resolve to the path: '/admin/realms/k8s/users/12345/groups' + PathExpression *string `json:"pathExpression,omitempty"` +} + +// SourceURLApplyConfiguration constructs a declarative configuration of the SourceURL type for use with +// apply. +func SourceURL() *SourceURLApplyConfiguration { + return &SourceURLApplyConfiguration{} +} + +// WithHostname sets the Hostname field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Hostname field is set to the value of the last call. +func (b *SourceURLApplyConfiguration) WithHostname(value string) *SourceURLApplyConfiguration { + b.Hostname = &value + return b +} + +// WithPathExpression sets the PathExpression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PathExpression field is set to the value of the last call. +func (b *SourceURLApplyConfiguration) WithPathExpression(value string) *SourceURLApplyConfiguration { + b.PathExpression = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go index 5e34ffd5db..cbefaf5169 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go @@ -21,6 +21,24 @@ type TLSProfileSpecApplyConfiguration struct { // TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable // and are always enabled when TLS 1.3 is negotiated. Ciphers []string `json:"ciphers,omitempty"` + // groups is an optional, ordered field used to specify the supported groups (formerly known as + // elliptic curves) that are used during the TLS handshake. The order of the groups represents + // a suggested preference, with the most preferred group first. Note that not all platform + // components honor the ordering: Go-based components use Go's internal preference order and + // treat this list as a filter of allowed groups rather than an ordered preference. + // Operators may remove entries their operands do not support. + // + // When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + // subject to change over time and may be different per platform component depending on the underlying TLS + // libraries they use. If specified, the list must contain at least one and at most 7 groups, + // and each group must be unique. + // + // For example, to use X25519 and secp256r1 (yaml): + // + // groups: + // - X25519 + // - secp256r1 + Groups []configv1.TLSGroup `json:"groups,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS // versions 1.1, 1.2 and 1.3 (yaml): @@ -45,6 +63,16 @@ func (b *TLSProfileSpecApplyConfiguration) WithCiphers(values ...string) *TLSPro return b } +// WithGroups adds the given value to the Groups field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Groups field. +func (b *TLSProfileSpecApplyConfiguration) WithGroups(values ...configv1.TLSGroup) *TLSProfileSpecApplyConfiguration { + for i := range values { + b.Groups = append(b.Groups, values[i]) + } + return b +} + // WithMinTLSVersion sets the MinTLSVersion field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the MinTLSVersion field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go index dd57aad086..eab7cd4525 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go @@ -15,10 +15,16 @@ type TLSSecurityProfileApplyConfiguration struct { // type is one of Old, Intermediate, Modern or Custom. Custom provides the // ability to specify individual TLS security profile parameters. // - // The profiles are based on version 5.7 of the Mozilla Server Side TLS - // configuration guidelines. The cipher lists consist of the configuration's - // "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - // See: https://ssl-config.mozilla.org/guidelines/5.7.json + // The cipher and groups lists in these profiles are based on version 5.8 of the + // Mozilla Server Side TLS configuration guidelines. + // See: https://ssl-config.mozilla.org/guidelines/5.8.json + // + // The groups are listed in suggested preference order, with the most preferred group first. + // Note that not all platform components honor the ordering: Go-based components use Go's + // internal preference order and treat this list as a filter of allowed groups rather than + // an ordered preference. + // Note that X25519MLKEM768 is a post-quantum hybrid group that is not + // FIPS-approved and should be ignored by components running in FIPS mode. // // The profiles are intent based, so they may change over time as new ciphers are // developed and existing ciphers are found to be insecure. Depending on @@ -27,6 +33,10 @@ type TLSSecurityProfileApplyConfiguration struct { // old is a TLS profile for use when services need to be accessed by very old // clients or libraries and should be used only as a last resort. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS10 // ciphers: @@ -43,11 +53,14 @@ type TLSSecurityProfileApplyConfiguration struct { // - ECDHE-RSA-AES128-SHA256 // - ECDHE-ECDSA-AES128-SHA // - ECDHE-RSA-AES128-SHA + // - ECDHE-ECDSA-AES256-SHA384 + // - ECDHE-RSA-AES256-SHA384 // - ECDHE-ECDSA-AES256-SHA // - ECDHE-RSA-AES256-SHA // - AES128-GCM-SHA256 // - AES256-GCM-SHA384 // - AES128-SHA256 + // - AES256-SHA256 // - AES128-SHA // - AES256-SHA // - DES-CBC3-SHA @@ -56,6 +69,10 @@ type TLSSecurityProfileApplyConfiguration struct { // legacy clients and want to remain highly secure while being compatible with // most clients currently in use. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS12 // ciphers: @@ -71,7 +88,9 @@ type TLSSecurityProfileApplyConfiguration struct { Intermediate *configv1.IntermediateTLSProfile `json:"intermediate,omitempty"` // modern is a TLS security profile for use with clients that support TLS 1.3 and // do not need backward compatibility for older clients. - // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS13 // ciphers: @@ -80,8 +99,11 @@ type TLSSecurityProfileApplyConfiguration struct { // - TLS_CHACHA20_POLY1305_SHA256 Modern *configv1.ModernTLSProfile `json:"modern,omitempty"` // custom is a user-defined TLS security profile. Be extremely careful using a custom - // profile as invalid configurations can be catastrophic. An example custom profile - // looks like this: + // profile as invalid configurations can be catastrophic. + // + // The supported groups list for this profile is empty by default. + // + // An example custom profile looks like this: // // minTLSVersion: VersionTLS11 // ciphers: diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go index ede86ce365..9119cbe199 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go @@ -9,7 +9,7 @@ package v1 type VaultAppRoleAuthenticationApplyConfiguration struct { // secret references a secret in the openshift-config namespace containing // the AppRole credentials used to authenticate with Vault. - // The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + // The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. Secret *VaultSecretReferenceApplyConfiguration `json:"secret,omitempty"` } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go index e8cd3bcdf2..736095a27d 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go @@ -47,14 +47,10 @@ type VaultKMSPluginConfigApplyConfiguration struct { Authentication *VaultAuthenticationApplyConfiguration `json:"authentication,omitempty"` // transitMount specifies the mount path of the Vault Transit engine. // - // When omitted, this means the user has no opinion and the platform is left - // to choose a reasonable default. These defaults are subject to change over time. - // The current default is "transit". - // - // The transit mount must be between 1 and 1024 characters when specified, cannot start or - // end with a forward slash, cannot contain consecutive forward slashes, and must only contain - // RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - // slashes as path separators. + // The transit mount must be between 1 and 1024 characters, cannot start or + // end with a forward slash, cannot contain consecutive forward slashes, and + // must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + // period, underscore, tilde) and forward slashes as path separators. TransitMount *string `json:"transitMount,omitempty"` // transitKey specifies the name of the encryption key in Vault's Transit engine. // This key is used to encrypt and decrypt data. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go index 9fba4e1a42..04bf8c3bf1 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go @@ -9,7 +9,7 @@ package v1 type VaultTLSConfigApplyConfiguration struct { // caBundle references a ConfigMap in the openshift-config namespace containing // the CA certificate bundle used to verify the TLS connection to the Vault server. - // The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + // The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". // When this field is not set, the system's trusted CA certificates are used. // // The namespace for the ConfigMap is openshift-config. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go index c47130a180..37c93f7e15 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go @@ -13,8 +13,23 @@ import ( // AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. // alertmanagerCustomConfig provides configuration options for the default Alertmanager instance // that runs in the `openshift-monitoring` namespace. Use this configuration to control -// whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled. +// whether user-defined namespaces are selected for AlertmanagerConfig lookups, how it logs, +// and how its pods are scheduled. type AlertmanagerCustomConfigApplyConfiguration struct { + // userAlertmanagerConfigSelection is an optional field that controls whether user-defined + // namespaces can be selected for AlertmanagerConfig lookups on the platform Alertmanager + // instance in the `openshift-monitoring` namespace. + // Valid values are Selectable and None. + // When set to Selectable, the platform Alertmanager discovers AlertmanagerConfig resources + // in user-defined namespaces. This is equivalent to `enableUserAlertmanagerConfig: true` in + // the cluster-monitoring-config ConfigMap. + // When set to None, user-defined namespaces are not selected for AlertmanagerConfig lookups + // on the platform Alertmanager. This is equivalent to `enableUserAlertmanagerConfig: false` + // in the cluster-monitoring-config ConfigMap. + // This setting only applies when the user-workload monitoring Alertmanager is not enabled. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is `None`. + UserAlertmanagerConfigSelection *configv1alpha1.UserAlertmanagerConfigSelection `json:"userAlertmanagerConfigSelection,omitempty"` // logLevel defines the verbosity of logs emitted by Alertmanager. // This field allows users to control the amount and severity of logs generated, which can be useful // for debugging issues or reducing noise in production environments. @@ -103,6 +118,14 @@ func AlertmanagerCustomConfig() *AlertmanagerCustomConfigApplyConfiguration { return &AlertmanagerCustomConfigApplyConfiguration{} } +// WithUserAlertmanagerConfigSelection sets the UserAlertmanagerConfigSelection field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UserAlertmanagerConfigSelection field is set to the value of the last call. +func (b *AlertmanagerCustomConfigApplyConfiguration) WithUserAlertmanagerConfigSelection(value configv1alpha1.UserAlertmanagerConfigSelection) *AlertmanagerCustomConfigApplyConfiguration { + b.UserAlertmanagerConfigSelection = &value + return b +} + // WithLogLevel sets the LogLevel field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the LogLevel field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go index 35ec6d14e6..288edad61f 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go @@ -78,6 +78,11 @@ type ClusterMonitoringSpecApplyConfiguration struct { // or topology spread constraints. // When set, at least one field must be specified within monitoringPluginConfig. MonitoringPluginConfig *MonitoringPluginConfigApplyConfiguration `json:"monitoringPluginConfig,omitempty"` + // kubeStateMetricsConfig is an optional field that can be used to configure the kube-state-metrics + // agent that runs in the openshift-monitoring namespace. kube-state-metrics generates metrics about + // the state of Kubernetes objects such as Deployments, Nodes, and Pods. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + KubeStateMetricsConfig *KubeStateMetricsConfigApplyConfiguration `json:"kubeStateMetricsConfig,omitempty"` } // ClusterMonitoringSpecApplyConfiguration constructs a declarative configuration of the ClusterMonitoringSpec type for use with @@ -173,3 +178,11 @@ func (b *ClusterMonitoringSpecApplyConfiguration) WithMonitoringPluginConfig(val b.MonitoringPluginConfig = value return b } + +// WithKubeStateMetricsConfig sets the KubeStateMetricsConfig field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the KubeStateMetricsConfig field is set to the value of the last call. +func (b *ClusterMonitoringSpecApplyConfiguration) WithKubeStateMetricsConfig(value *KubeStateMetricsConfigApplyConfiguration) *ClusterMonitoringSpecApplyConfiguration { + b.KubeStateMetricsConfig = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsconfig.go new file mode 100644 index 0000000000..ed850ef346 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsconfig.go @@ -0,0 +1,145 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/api/core/v1" +) + +// KubeStateMetricsConfigApplyConfiguration represents a declarative configuration of the KubeStateMetricsConfig type for use +// with apply. +// +// KubeStateMetricsConfig provides configuration options for the kube-state-metrics agent +// that runs in the `openshift-monitoring` namespace. kube-state-metrics generates metrics +// about the state of Kubernetes objects such as Deployments, Nodes, and Pods. +type KubeStateMetricsConfigApplyConfiguration struct { + // nodeSelector defines the nodes on which the Pods are scheduled. + // nodeSelector is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // The current default value is `kubernetes.io/os: linux`. + // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + // resources defines the compute resource requests and limits for the kube-state-metrics container. + // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + // When not specified, defaults are used by the platform. Requests cannot exceed limits. + // This field is optional. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. + // The current default values are: + // resources: + // - name: cpu + // request: 4m + // limit: null + // - name: memory + // request: 40Mi + // limit: null + // Maximum length for this list is 5. + // Minimum length for this list is 1. + // Each resource name must be unique within this list. + Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"` + // tolerations defines tolerations for the pods. + // tolerations is optional. + // + // When omitted, no tolerations are applied. This default is subject to change over time. + // When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries. + // Each toleration's operator, when specified, must be either "Exists" or "Equal". + // Each toleration's effect, when specified, must be one of "NoSchedule", "PreferNoSchedule", or "NoExecute". + // An empty or unset effect means match all effects. + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + // topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed + // across topology domains such as zones, nodes, or other user-defined labels. + // topologySpreadConstraints is optional. + // This helps improve high availability and resource efficiency by avoiding placing + // too many replicas in the same failure domain. + // + // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + // When omitted, no topology spread constraints are applied. This default is subject to change over time. + // When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. + // Entries must have unique topologyKey and whenUnsatisfiable pairs. + // Each entry's whenUnsatisfiable must be either "DoNotSchedule" or "ScheduleAnyway". + // Each entry's maxSkew must be at least 1. + // When minDomains is specified, it must be at least 1 and whenUnsatisfiable must be "DoNotSchedule". + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` + // additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics + // in kube-state-metrics. + // Currently, only "Job" and "CronJob" resources are supported due to cardinality concerns. + // Each entry specifies a resource name and a list of Kubernetes label names to expose. + // Use "*" in the labels list to expose all labels for a given resource. + // additionalResourceLabels is optional. + // When omitted, no additional Kubernetes object labels are exposed as metrics + // by kube-state-metrics beyond its built-in metric labels (e.g. namespace, job_name). + // Use this field to opt in to exposing specific Kubernetes labels as metric labels + // for the supported resource types. + // Minimum length for this list is 1. + // Maximum length for this list is 2. + // Each resource name must be unique within this list. + AdditionalResourceLabels []KubeStateMetricsResourceLabelsApplyConfiguration `json:"additionalResourceLabels,omitempty"` +} + +// KubeStateMetricsConfigApplyConfiguration constructs a declarative configuration of the KubeStateMetricsConfig type for use with +// apply. +func KubeStateMetricsConfig() *KubeStateMetricsConfigApplyConfiguration { + return &KubeStateMetricsConfigApplyConfiguration{} +} + +// WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the NodeSelector field, +// overwriting an existing map entries in NodeSelector field with the same key. +func (b *KubeStateMetricsConfigApplyConfiguration) WithNodeSelector(entries map[string]string) *KubeStateMetricsConfigApplyConfiguration { + if b.NodeSelector == nil && len(entries) > 0 { + b.NodeSelector = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.NodeSelector[k] = v + } + return b +} + +// WithResources adds the given value to the Resources field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Resources field. +func (b *KubeStateMetricsConfigApplyConfiguration) WithResources(values ...*ContainerResourceApplyConfiguration) *KubeStateMetricsConfigApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithResources") + } + b.Resources = append(b.Resources, *values[i]) + } + return b +} + +// WithTolerations adds the given value to the Tolerations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Tolerations field. +func (b *KubeStateMetricsConfigApplyConfiguration) WithTolerations(values ...v1.Toleration) *KubeStateMetricsConfigApplyConfiguration { + for i := range values { + b.Tolerations = append(b.Tolerations, values[i]) + } + return b +} + +// WithTopologySpreadConstraints adds the given value to the TopologySpreadConstraints field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the TopologySpreadConstraints field. +func (b *KubeStateMetricsConfigApplyConfiguration) WithTopologySpreadConstraints(values ...v1.TopologySpreadConstraint) *KubeStateMetricsConfigApplyConfiguration { + for i := range values { + b.TopologySpreadConstraints = append(b.TopologySpreadConstraints, values[i]) + } + return b +} + +// WithAdditionalResourceLabels adds the given value to the AdditionalResourceLabels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the AdditionalResourceLabels field. +func (b *KubeStateMetricsConfigApplyConfiguration) WithAdditionalResourceLabels(values ...*KubeStateMetricsResourceLabelsApplyConfiguration) *KubeStateMetricsConfigApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithAdditionalResourceLabels") + } + b.AdditionalResourceLabels = append(b.AdditionalResourceLabels, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsresourcelabels.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsresourcelabels.go new file mode 100644 index 0000000000..8b4de02a9a --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsresourcelabels.go @@ -0,0 +1,53 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// KubeStateMetricsResourceLabelsApplyConfiguration represents a declarative configuration of the KubeStateMetricsResourceLabels type for use +// with apply. +// +// KubeStateMetricsResourceLabels defines which Kubernetes labels to expose as metrics +// for a given resource type in kube-state-metrics. +type KubeStateMetricsResourceLabelsApplyConfiguration struct { + // resource is the Kubernetes resource name whose labels should be exposed as metrics. + // Currently, only "Job" and "CronJob" are supported due to cardinality concerns. + // Valid values are "Job" and "CronJob". + // This field is required. + Resource *configv1alpha1.KubeStateMetricsResourceName `json:"resource,omitempty"` + // labels is the list of Kubernetes label names to expose as metrics for this resource. + // Use "*" to expose all labels for the specified resource. + // When "*" is specified, it must be the only entry in the list; mixing "*" with + // specific label names is not allowed. + // This field is required. + // Each label name must be unique within this list. + // Minimum length for this list is 1. + // Maximum length for this list is 50. + Labels []configv1alpha1.KubeStateMetricsLabelName `json:"labels,omitempty"` +} + +// KubeStateMetricsResourceLabelsApplyConfiguration constructs a declarative configuration of the KubeStateMetricsResourceLabels type for use with +// apply. +func KubeStateMetricsResourceLabels() *KubeStateMetricsResourceLabelsApplyConfiguration { + return &KubeStateMetricsResourceLabelsApplyConfiguration{} +} + +// WithResource sets the Resource field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Resource field is set to the value of the last call. +func (b *KubeStateMetricsResourceLabelsApplyConfiguration) WithResource(value configv1alpha1.KubeStateMetricsResourceName) *KubeStateMetricsResourceLabelsApplyConfiguration { + b.Resource = &value + return b +} + +// WithLabels adds the given value to the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Labels field. +func (b *KubeStateMetricsResourceLabelsApplyConfiguration) WithLabels(values ...configv1alpha1.KubeStateMetricsLabelName) *KubeStateMetricsResourceLabelsApplyConfiguration { + for i := range values { + b.Labels = append(b.Labels, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go index 8c6a288f50..a4a250fc24 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go @@ -4,7 +4,6 @@ package v1alpha1 import ( configv1alpha1 "github.com/openshift/api/config/v1alpha1" - v1 "k8s.io/api/core/v1" ) // NodeExporterConfigApplyConfiguration represents a declarative configuration of the NodeExporterConfig type for use @@ -16,14 +15,6 @@ import ( // network statistics. // At least one field must be specified. type NodeExporterConfigApplyConfiguration struct { - // nodeSelector defines the nodes on which the Pods are scheduled. - // nodeSelector is optional. - // - // When omitted, this means the user has no opinion and the platform is left - // to choose reasonable defaults. These defaults are subject to change over time. - // The current default value is `kubernetes.io/os: linux`. - // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. - NodeSelector map[string]string `json:"nodeSelector,omitempty"` // resources defines the compute resource requests and limits for the node-exporter container. // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. // When not specified, defaults are used by the platform. Requests cannot exceed limits. @@ -44,16 +35,6 @@ type NodeExporterConfigApplyConfiguration struct { // Minimum length for this list is 1. // Each resource name must be unique within this list. Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"` - // tolerations defines tolerations for the pods. - // tolerations is optional. - // - // When omitted, this means the user has no opinion and the platform is left - // to choose reasonable defaults. These defaults are subject to change over time. - // The current default is to tolerate all taints (operator: Exists without any key), - // which is typical for DaemonSets that must run on every node. - // Maximum length for this list is 10. - // Minimum length for this list is 1. - Tolerations []v1.Toleration `json:"tolerations,omitempty"` // collectors configures which node-exporter metric collectors are enabled. // collectors is optional. // Each collector can be individually enabled or disabled. Some collectors may have @@ -96,20 +77,6 @@ func NodeExporterConfig() *NodeExporterConfigApplyConfiguration { return &NodeExporterConfigApplyConfiguration{} } -// WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, the entries provided by each call will be put on the NodeSelector field, -// overwriting an existing map entries in NodeSelector field with the same key. -func (b *NodeExporterConfigApplyConfiguration) WithNodeSelector(entries map[string]string) *NodeExporterConfigApplyConfiguration { - if b.NodeSelector == nil && len(entries) > 0 { - b.NodeSelector = make(map[string]string, len(entries)) - } - for k, v := range entries { - b.NodeSelector[k] = v - } - return b -} - // WithResources adds the given value to the Resources field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Resources field. @@ -123,16 +90,6 @@ func (b *NodeExporterConfigApplyConfiguration) WithResources(values ...*Containe return b } -// WithTolerations adds the given value to the Tolerations field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the Tolerations field. -func (b *NodeExporterConfigApplyConfiguration) WithTolerations(values ...v1.Toleration) *NodeExporterConfigApplyConfiguration { - for i := range values { - b.Tolerations = append(b.Tolerations, values[i]) - } - return b -} - // WithCollectors sets the Collectors field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Collectors field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go index 31d3b9f58e..2565d5e49c 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go @@ -101,7 +101,7 @@ type PrometheusConfigApplyConfiguration struct { // Each resource name must be unique within this list. Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"` // retention configures how long Prometheus retains metrics data and how much storage it can use. - // When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + // When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). Retention *RetentionApplyConfiguration `json:"retention,omitempty"` // tolerations defines tolerations for the pods. // tolerations is optional. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go index 2ca903f21f..2c999b21da 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go @@ -7,20 +7,28 @@ package v1alpha1 // // Retention configures how long Prometheus retains metrics data and how much storage it can use. type RetentionApplyConfiguration struct { - // durationInDays specifies how many days Prometheus will retain metrics data. + // duration is an optional field that specifies how long Prometheus retains metrics data. + // Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms + // (for example, "15d", "24h", or "5d1h30m"). Each unit value must be a positive integer. + // Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. + // Must be at least 1 character and at most 64 characters. + // When set to "0", time-based retention is disabled. This is the only supported form for disabling + // time-based retention; other zero-duration representations such as "0d", "0h", or "0y" are rejected. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - // The default value is 15. - // Minimum value is 1 day. - // Maximum value is 365 days (1 year). - DurationInDays *int32 `json:"durationInDays,omitempty"` - // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + // The current default value is `15d`. + Duration *string `json:"duration,omitempty"` + // size is an optional field that specifies the maximum storage size that Prometheus // can use for data blocks and the write-ahead log (WAL). - // When the limit is reached, Prometheus will delete oldest data first. + // Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, + // TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). + // The numeric value must be greater than zero. + // Must be at least 1 character and at most 32 characters. + // When set to "0", no size limit is enforced. This is the only supported form for disabling size-based + // retention; other zero-size representations such as "0B" or "0MiB" are rejected. + // When the limit is reached, Prometheus deletes oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. - // Minimum value is 1 GiB. - // Maximum value is 16384 GiB (16 TiB). - SizeInGiB *int32 `json:"sizeInGiB,omitempty"` + Size *string `json:"size,omitempty"` } // RetentionApplyConfiguration constructs a declarative configuration of the Retention type for use with @@ -29,18 +37,18 @@ func Retention() *RetentionApplyConfiguration { return &RetentionApplyConfiguration{} } -// WithDurationInDays sets the DurationInDays field in the declarative configuration to the given value +// WithDuration sets the Duration field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the DurationInDays field is set to the value of the last call. -func (b *RetentionApplyConfiguration) WithDurationInDays(value int32) *RetentionApplyConfiguration { - b.DurationInDays = &value +// If called multiple times, the Duration field is set to the value of the last call. +func (b *RetentionApplyConfiguration) WithDuration(value string) *RetentionApplyConfiguration { + b.Duration = &value return b } -// WithSizeInGiB sets the SizeInGiB field in the declarative configuration to the given value +// WithSize sets the Size field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the SizeInGiB field is set to the value of the last call. -func (b *RetentionApplyConfiguration) WithSizeInGiB(value int32) *RetentionApplyConfiguration { - b.SizeInGiB = &value +// If called multiple times, the Size field is set to the value of the last call. +func (b *RetentionApplyConfiguration) WithSize(value string) *RetentionApplyConfiguration { + b.Size = &value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go index f2fda246e1..9210a0a308 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go @@ -3,6 +3,7 @@ package v1alpha1 import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" v1 "k8s.io/api/core/v1" ) @@ -13,6 +14,31 @@ import ( // that runs in the `openshift-monitoring` namespace. // At least one field must be specified; an empty thanosQuerierConfig object is not allowed. type ThanosQuerierConfigApplyConfiguration struct { + // logLevel defines the verbosity of logs emitted by Thanos Querier. + // logLevel is optional. + // Allowed values are Error, Warn, Info, and Debug. + // When set to Error, only errors will be logged. + // When set to Warn, both warnings and errors will be logged. + // When set to Info, general information, warnings, and errors will all be logged. + // When set to Debug, detailed debugging information will be logged. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is `Info`. + LogLevel *configv1alpha1.LogLevel `json:"logLevel,omitempty"` + // requestLogging configures request logging for Thanos Querier. + // requestLogging is optional. + // When provided, the policy field within is required. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default behavior is to not log any requests. + RequestLogging *ThanosQuerierRequestLoggingConfigApplyConfiguration `json:"requestLogging,omitempty"` + // crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy + // for Thanos Querier's HTTP endpoints. + // crossOriginRequestPolicy is optional. + // Valid values are "AllowAll" and "DenyAll". + // When set to "AllowAll", CORS headers are added to responses, allowing cross-origin requests from any domain. + // When set to "DenyAll", no CORS headers are added and cross-origin requests are rejected by the browser. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is "DenyAll". + CrossOriginRequestPolicy *configv1alpha1.CrossOriginRequestPolicy `json:"crossOriginRequestPolicy,omitempty"` // nodeSelector defines the nodes on which the Pods are scheduled. // nodeSelector is optional. // @@ -69,6 +95,30 @@ func ThanosQuerierConfig() *ThanosQuerierConfigApplyConfiguration { return &ThanosQuerierConfigApplyConfiguration{} } +// WithLogLevel sets the LogLevel field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the LogLevel field is set to the value of the last call. +func (b *ThanosQuerierConfigApplyConfiguration) WithLogLevel(value configv1alpha1.LogLevel) *ThanosQuerierConfigApplyConfiguration { + b.LogLevel = &value + return b +} + +// WithRequestLogging sets the RequestLogging field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RequestLogging field is set to the value of the last call. +func (b *ThanosQuerierConfigApplyConfiguration) WithRequestLogging(value *ThanosQuerierRequestLoggingConfigApplyConfiguration) *ThanosQuerierConfigApplyConfiguration { + b.RequestLogging = value + return b +} + +// WithCrossOriginRequestPolicy sets the CrossOriginRequestPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CrossOriginRequestPolicy field is set to the value of the last call. +func (b *ThanosQuerierConfigApplyConfiguration) WithCrossOriginRequestPolicy(value configv1alpha1.CrossOriginRequestPolicy) *ThanosQuerierConfigApplyConfiguration { + b.CrossOriginRequestPolicy = &value + return b +} + // WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, the entries provided by each call will be put on the NodeSelector field, diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go new file mode 100644 index 0000000000..d9a6264426 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go @@ -0,0 +1,34 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// ThanosQuerierRequestLoggingConfigApplyConfiguration represents a declarative configuration of the ThanosQuerierRequestLoggingConfig type for use +// with apply. +// +// ThanosQuerierRequestLoggingConfig configures request logging for Thanos Querier. +type ThanosQuerierRequestLoggingConfigApplyConfiguration struct { + // policy determines which HTTP and gRPC requests are logged by Thanos Querier. + // Valid values are "AllRequests" and "NoRequests". + // When set to "AllRequests", every request received by Thanos Querier is logged with method, path, and response status. + // The log level for request logs is derived from the logLevel field. + // When set to "NoRequests", request logging is turned off. + Policy *configv1alpha1.RequestLoggingPolicy `json:"policy,omitempty"` +} + +// ThanosQuerierRequestLoggingConfigApplyConfiguration constructs a declarative configuration of the ThanosQuerierRequestLoggingConfig type for use with +// apply. +func ThanosQuerierRequestLoggingConfig() *ThanosQuerierRequestLoggingConfigApplyConfiguration { + return &ThanosQuerierRequestLoggingConfigApplyConfiguration{} +} + +// WithPolicy sets the Policy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Policy field is set to the value of the last call. +func (b *ThanosQuerierRequestLoggingConfigApplyConfiguration) WithPolicy(value configv1alpha1.RequestLoggingPolicy) *ThanosQuerierRequestLoggingConfigApplyConfiguration { + b.Policy = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go index 913a6be828..303a840719 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go @@ -613,6 +613,7 @@ var schemaYAML = typed.YAMLObject(`types: - name: kms type: namedType: com.github.openshift.api.config.v1.KMSPluginConfig + default: {} - name: type type: scalar: string @@ -1123,6 +1124,35 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.BuildOverrides default: {} +- name: com.github.openshift.api.config.v1.ClientCredentialConfig + map: + fields: + - name: clientID + type: + scalar: string + - name: clientSecret + type: + namedType: com.github.openshift.api.config.v1.ClientSecretSecretReference + default: {} + - name: scopes + type: + list: + elementType: + scalar: string + elementRelationship: associative + - name: tls + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceTLS + default: {} + - name: tokenEndpoint + type: + scalar: string +- name: com.github.openshift.api.config.v1.ClientSecretSecretReference + map: + fields: + - name: name + type: + scalar: string - name: com.github.openshift.api.config.v1.CloudControllerManagerStatus map: fields: @@ -1683,6 +1713,12 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: atomic + - name: groups + type: + list: + elementType: + scalar: string + elementRelationship: associative - name: minTLSVersion type: scalar: string @@ -1791,6 +1827,37 @@ var schemaYAML = typed.YAMLObject(`types: - name: ingressIP type: scalar: string +- name: com.github.openshift.api.config.v1.ExternalClaimsSource + map: + fields: + - name: authentication + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceAuthentication + default: {} + - name: mappings + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.SourcedClaimMapping + elementRelationship: associative + keys: + - name + - name: predicates + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.ExternalSourcePredicate + elementRelationship: associative + keys: + - expression + - name: tls + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceTLS + default: {} + - name: url + type: + namedType: com.github.openshift.api.config.v1.SourceURL + default: {} - name: com.github.openshift.api.config.v1.ExternalIPConfig map: fields: @@ -1832,6 +1899,35 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.CloudControllerManagerStatus default: {} +- name: com.github.openshift.api.config.v1.ExternalSourceAuthentication + map: + fields: + - name: clientCredential + type: + namedType: com.github.openshift.api.config.v1.ClientCredentialConfig + default: {} + - name: type + type: + scalar: string +- name: com.github.openshift.api.config.v1.ExternalSourceCertificateAuthorityConfigMapReference + map: + fields: + - name: name + type: + scalar: string +- name: com.github.openshift.api.config.v1.ExternalSourcePredicate + map: + fields: + - name: expression + type: + scalar: string +- name: com.github.openshift.api.config.v1.ExternalSourceTLS + map: + fields: + - name: certificateAuthority + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceCertificateAuthorityConfigMapReference + default: {} - name: com.github.openshift.api.config.v1.ExtraMapping map: fields: @@ -2940,6 +3036,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: networkType type: scalar: string +- name: com.github.openshift.api.config.v1.NetworkObservabilitySpec + map: + fields: + - name: installationPolicy + type: + scalar: string - name: com.github.openshift.api.config.v1.NetworkSpec map: fields: @@ -2956,6 +3058,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.NetworkDiagnostics default: {} + - name: networkObservability + type: + namedType: com.github.openshift.api.config.v1.NetworkObservabilitySpec + default: {} - name: networkType type: scalar: string @@ -3318,6 +3424,12 @@ var schemaYAML = typed.YAMLObject(`types: elementType: namedType: com.github.openshift.api.config.v1.TokenClaimValidationRule elementRelationship: atomic + - name: externalClaimsSources + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.ExternalClaimsSource + elementRelationship: atomic - name: issuer type: namedType: com.github.openshift.api.config.v1.TokenIssuer @@ -4201,6 +4313,24 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: com.github.openshift.api.config.v1.SourceURL + map: + fields: + - name: hostname + type: + scalar: string + - name: pathExpression + type: + scalar: string +- name: com.github.openshift.api.config.v1.SourcedClaimMapping + map: + fields: + - name: expression + type: + scalar: string + - name: name + type: + scalar: string - name: com.github.openshift.api.config.v1.Storage map: fields: @@ -4834,6 +4964,9 @@ var schemaYAML = typed.YAMLObject(`types: keys: - topologyKey - whenUnsatisfiable + - name: userAlertmanagerConfigSelection + type: + scalar: string - name: volumeClaimTemplate type: namedType: PersistentVolumeClaim.v1.core.api.k8s.io @@ -4984,6 +5117,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1alpha1.AlertmanagerConfig default: {} + - name: kubeStateMetricsConfig + type: + namedType: com.github.openshift.api.config.v1alpha1.KubeStateMetricsConfig + default: {} - name: metricsServerConfig type: namedType: com.github.openshift.api.config.v1alpha1.MetricsServerConfig @@ -5196,6 +5333,57 @@ var schemaYAML = typed.YAMLObject(`types: discriminatorValue: ECDSA - fieldName: rsa discriminatorValue: RSA +- name: com.github.openshift.api.config.v1alpha1.KubeStateMetricsConfig + map: + fields: + - name: additionalResourceLabels + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1alpha1.KubeStateMetricsResourceLabels + elementRelationship: associative + keys: + - resource + - name: nodeSelector + type: + map: + elementType: + scalar: string + - name: resources + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1alpha1.ContainerResource + elementRelationship: associative + keys: + - name + - name: tolerations + type: + list: + elementType: + namedType: Toleration.v1.core.api.k8s.io + elementRelationship: atomic + - name: topologySpreadConstraints + type: + list: + elementType: + namedType: TopologySpreadConstraint.v1.core.api.k8s.io + elementRelationship: associative + keys: + - topologyKey + - whenUnsatisfiable +- name: com.github.openshift.api.config.v1alpha1.KubeStateMetricsResourceLabels + map: + fields: + - name: labels + type: + list: + elementType: + scalar: string + elementRelationship: associative + - name: resource + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.Label map: fields: @@ -5343,6 +5531,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorProcessesConfig default: {} + - name: softirqs + type: + namedType: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSoftirqsConfig + default: {} - name: systemd type: namedType: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSystemdConfig @@ -5408,6 +5600,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: collectionPolicy type: scalar: string +- name: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSoftirqsConfig + map: + fields: + - name: collectionPolicy + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSystemdCollectConfig map: fields: @@ -5454,11 +5652,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: maxProcs type: scalar: numeric - - name: nodeSelector - type: - map: - elementType: - scalar: string - name: resources type: list: @@ -5467,12 +5660,6 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - name - - name: tolerations - type: - list: - elementType: - namedType: Toleration.v1.core.api.k8s.io - elementRelationship: atomic - name: com.github.openshift.api.config.v1alpha1.OAuth2 map: fields: @@ -5940,12 +6127,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: com.github.openshift.api.config.v1alpha1.Retention map: fields: - - name: durationInDays + - name: duration type: - scalar: numeric - - name: sizeInGiB + scalar: string + - name: size type: - scalar: numeric + scalar: string - name: com.github.openshift.api.config.v1alpha1.RetentionNumberConfig map: fields: @@ -6075,11 +6262,21 @@ var schemaYAML = typed.YAMLObject(`types: - name: com.github.openshift.api.config.v1alpha1.ThanosQuerierConfig map: fields: + - name: crossOriginRequestPolicy + type: + scalar: string + - name: logLevel + type: + scalar: string - name: nodeSelector type: map: elementType: scalar: string + - name: requestLogging + type: + namedType: com.github.openshift.api.config.v1alpha1.ThanosQuerierRequestLoggingConfig + default: {} - name: resources type: list: @@ -6103,6 +6300,12 @@ var schemaYAML = typed.YAMLObject(`types: keys: - topologyKey - whenUnsatisfiable +- name: com.github.openshift.api.config.v1alpha1.ThanosQuerierRequestLoggingConfig + map: + fields: + - name: policy + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.UppercaseActionConfig map: fields: diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go index 79f4f85681..b5690c4d81 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go @@ -78,6 +78,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.BuildOverridesApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("BuildSpec"): return &configv1.BuildSpecApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ClientCredentialConfig"): + return &configv1.ClientCredentialConfigApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ClientSecretSecretReference"): + return &configv1.ClientSecretSecretReferenceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("CloudControllerManagerStatus"): return &configv1.CloudControllerManagerStatusApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("CloudLoadBalancerConfig"): @@ -150,6 +154,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.DNSZoneApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("EquinixMetalPlatformStatus"): return &configv1.EquinixMetalPlatformStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalClaimsSource"): + return &configv1.ExternalClaimsSourceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExternalIPConfig"): return &configv1.ExternalIPConfigApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExternalIPPolicy"): @@ -158,6 +164,14 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.ExternalPlatformSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExternalPlatformStatus"): return &configv1.ExternalPlatformStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourceAuthentication"): + return &configv1.ExternalSourceAuthenticationApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourceCertificateAuthorityConfigMapReference"): + return &configv1.ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourcePredicate"): + return &configv1.ExternalSourcePredicateApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourceTLS"): + return &configv1.ExternalSourceTLSApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExtraMapping"): return &configv1.ExtraMappingApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("FeatureGate"): @@ -290,6 +304,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.NetworkDiagnosticsTargetPlacementApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("NetworkMigration"): return &configv1.NetworkMigrationApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("NetworkObservabilitySpec"): + return &configv1.NetworkObservabilitySpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("NetworkSpec"): return &configv1.NetworkSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("NetworkStatus"): @@ -416,6 +432,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.SecretNameReferenceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("SignatureStore"): return &configv1.SignatureStoreApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("SourcedClaimMapping"): + return &configv1.SourcedClaimMappingApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("SourceURL"): + return &configv1.SourceURLApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("Storage"): return &configv1.StorageApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("TemplateReference"): @@ -540,6 +560,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1alpha1.KeepEqualActionConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("KeyConfig"): return &configv1alpha1.KeyConfigApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("KubeStateMetricsConfig"): + return &configv1alpha1.KubeStateMetricsConfigApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("KubeStateMetricsResourceLabels"): + return &configv1alpha1.KubeStateMetricsResourceLabelsApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("Label"): return &configv1alpha1.LabelApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("LabelMapActionConfig"): @@ -642,6 +666,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1alpha1.TelemeterClientConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("ThanosQuerierConfig"): return &configv1alpha1.ThanosQuerierConfigApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("ThanosQuerierRequestLoggingConfig"): + return &configv1alpha1.ThanosQuerierRequestLoggingConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("TLSConfig"): return &configv1alpha1.TLSConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("UppercaseActionConfig"): diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go index 7603b05954..1e4a11635f 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go @@ -344,6 +344,12 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: atomic + - name: groups + type: + list: + elementType: + scalar: string + elementRelationship: associative - name: minTLSVersion type: scalar: string @@ -400,6 +406,12 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: atomic + - name: groups + type: + list: + elementType: + scalar: string + elementRelationship: associative - name: minTLSVersion type: scalar: string diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go index c3f57e5165..5b685313a2 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go @@ -19,7 +19,7 @@ type EtcdSpecApplyConfiguration struct { // which is subject to change without notice. HardwareSpeed *operatorv1.ControlPlaneHardwareSpeed `json:"controlPlaneHardwareSpeed,omitempty"` // backendQuotaGiB sets the etcd backend storage size limit in gibibytes. - // The value should be an integer not less than 8 and not more than 32. + // The value should be an integer not less than 8 and not more than 16. // When not specified, the default value is 8. BackendQuotaGiB *int32 `json:"backendQuotaGiB,omitempty"` } diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmsencryptionstatus.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmsencryptionstatus.go new file mode 100644 index 0000000000..34297c2140 --- /dev/null +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmsencryptionstatus.go @@ -0,0 +1,31 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// KMSEncryptionStatusApplyConfiguration represents a declarative configuration of the KMSEncryptionStatus type for use +// with apply. +type KMSEncryptionStatusApplyConfiguration struct { + // healthReports contains all KMS plugin health reports. + // When omitted, no health reports are available. + // Each entry must have a unique combination of nodeName and keyId. + HealthReports []KMSPluginHealthReportApplyConfiguration `json:"healthReports,omitempty"` +} + +// KMSEncryptionStatusApplyConfiguration constructs a declarative configuration of the KMSEncryptionStatus type for use with +// apply. +func KMSEncryptionStatus() *KMSEncryptionStatusApplyConfiguration { + return &KMSEncryptionStatusApplyConfiguration{} +} + +// WithHealthReports adds the given value to the HealthReports field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the HealthReports field. +func (b *KMSEncryptionStatusApplyConfiguration) WithHealthReports(values ...*KMSPluginHealthReportApplyConfiguration) *KMSEncryptionStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithHealthReports") + } + b.HealthReports = append(b.HealthReports, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmspluginhealthreport.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmspluginhealthreport.go new file mode 100644 index 0000000000..40d8eac773 --- /dev/null +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmspluginhealthreport.go @@ -0,0 +1,91 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + operatorv1 "github.com/openshift/api/operator/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// KMSPluginHealthReportApplyConfiguration represents a declarative configuration of the KMSPluginHealthReport type for use +// with apply. +type KMSPluginHealthReportApplyConfiguration struct { + // nodeName is the name of the node this instance of the plugin runs on. + // The combination of nodeName and keyId makes this health report unique. + // The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + // consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + // an alphanumeric character, and be at most 253 characters in length. + NodeName *string `json:"nodeName,omitempty"` + // keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + // This is not a cryptographic key used to encrypt/decrypt any resources. + // The value must be between 1 and 512 characters. + KeyId *string `json:"keyId,omitempty"` + // status contains a health indicator for the respective KMS plugin + // The field can have three states: healthy, unhealthy, error. + // With error and unhealthy containing additional information in Detail. + Status *operatorv1.KMSPluginHealthStatus `json:"status,omitempty"` + // lastCheckedTime is a timestamp of when the probe was last checked. + LastCheckedTime *metav1.Time `json:"lastCheckedTime,omitempty"` + // kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + // This is not a cryptographic key, but a unique representation of the KEK. + // The value must be between 1 and 1024 characters. + KEKId *string `json:"kekId,omitempty"` + // detail contains additional error/health information for the respective KMS plugin. + // When omitted, no additional error or health information is provided. + // When set, the value must be between 1 and 1024 characters. + Detail *string `json:"detail,omitempty"` +} + +// KMSPluginHealthReportApplyConfiguration constructs a declarative configuration of the KMSPluginHealthReport type for use with +// apply. +func KMSPluginHealthReport() *KMSPluginHealthReportApplyConfiguration { + return &KMSPluginHealthReportApplyConfiguration{} +} + +// WithNodeName sets the NodeName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NodeName field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithNodeName(value string) *KMSPluginHealthReportApplyConfiguration { + b.NodeName = &value + return b +} + +// WithKeyId sets the KeyId field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the KeyId field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithKeyId(value string) *KMSPluginHealthReportApplyConfiguration { + b.KeyId = &value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithStatus(value operatorv1.KMSPluginHealthStatus) *KMSPluginHealthReportApplyConfiguration { + b.Status = &value + return b +} + +// WithLastCheckedTime sets the LastCheckedTime field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the LastCheckedTime field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithLastCheckedTime(value metav1.Time) *KMSPluginHealthReportApplyConfiguration { + b.LastCheckedTime = &value + return b +} + +// WithKEKId sets the KEKId field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the KEKId field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithKEKId(value string) *KMSPluginHealthReportApplyConfiguration { + b.KEKId = &value + return b +} + +// WithDetail sets the Detail field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Detail field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithDetail(value string) *KMSPluginHealthReportApplyConfiguration { + b.Detail = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go index b6b6bd8664..c6eec2ce4f 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go @@ -12,6 +12,8 @@ type KubeAPIServerStatusApplyConfiguration struct { // The default expiration for the items is set by the platform and it defaults to 24h. // see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection ServiceAccountIssuers []ServiceAccountIssuerStatusApplyConfiguration `json:"serviceAccountIssuers,omitempty"` + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + EncryptionStatus *KMSEncryptionStatusApplyConfiguration `json:"encryptionStatus,omitempty"` } // KubeAPIServerStatusApplyConfiguration constructs a declarative configuration of the KubeAPIServerStatus type for use with @@ -111,3 +113,11 @@ func (b *KubeAPIServerStatusApplyConfiguration) WithServiceAccountIssuers(values } return b } + +// WithEncryptionStatus sets the EncryptionStatus field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the EncryptionStatus field is set to the value of the last call. +func (b *KubeAPIServerStatusApplyConfiguration) WithEncryptionStatus(value *KMSEncryptionStatusApplyConfiguration) *KubeAPIServerStatusApplyConfiguration { + b.EncryptionStatus = value + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go index 381d4a7e7b..1ccbf802f2 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go @@ -8,6 +8,8 @@ type OAuthAPIServerStatusApplyConfiguration struct { // latestAvailableRevision is the latest revision used as suffix of revisioned // secrets like encryption-config. A new revision causes a new deployment of pods. LatestAvailableRevision *int32 `json:"latestAvailableRevision,omitempty"` + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + EncryptionStatus *KMSEncryptionStatusApplyConfiguration `json:"encryptionStatus,omitempty"` } // OAuthAPIServerStatusApplyConfiguration constructs a declarative configuration of the OAuthAPIServerStatus type for use with @@ -23,3 +25,11 @@ func (b *OAuthAPIServerStatusApplyConfiguration) WithLatestAvailableRevision(val b.LatestAvailableRevision = &value return b } + +// WithEncryptionStatus sets the EncryptionStatus field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the EncryptionStatus field is set to the value of the last call. +func (b *OAuthAPIServerStatusApplyConfiguration) WithEncryptionStatus(value *KMSEncryptionStatusApplyConfiguration) *OAuthAPIServerStatusApplyConfiguration { + b.EncryptionStatus = value + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go index 776701d546..3a68909d54 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go @@ -6,6 +6,8 @@ package v1 // with apply. type OpenShiftAPIServerStatusApplyConfiguration struct { OperatorStatusApplyConfiguration `json:",inline"` + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + EncryptionStatus *KMSEncryptionStatusApplyConfiguration `json:"encryptionStatus,omitempty"` } // OpenShiftAPIServerStatusApplyConfiguration constructs a declarative configuration of the OpenShiftAPIServerStatus type for use with @@ -71,3 +73,11 @@ func (b *OpenShiftAPIServerStatusApplyConfiguration) WithGenerations(values ...* } return b } + +// WithEncryptionStatus sets the EncryptionStatus field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the EncryptionStatus field is set to the value of the last call. +func (b *OpenShiftAPIServerStatusApplyConfiguration) WithEncryptionStatus(value *KMSEncryptionStatusApplyConfiguration) *OpenShiftAPIServerStatusApplyConfiguration { + b.EncryptionStatus = value + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/utils.go index 41aa696852..b2c32f4cd6 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/utils.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/utils.go @@ -236,6 +236,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &operatorv1.IPv6OVNKubernetesConfigApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("IrreconcilableValidationOverrides"): return &operatorv1.IrreconcilableValidationOverridesApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("KMSEncryptionStatus"): + return &operatorv1.KMSEncryptionStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("KMSPluginHealthReport"): + return &operatorv1.KMSPluginHealthReportApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("KubeAPIServer"): return &operatorv1.KubeAPIServerApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("KubeAPIServerSpec"): diff --git a/vendor/modules.txt b/vendor/modules.txt index 6f49b58571..46a52f2e8f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -286,7 +286,7 @@ github.com/opencontainers/image-spec/specs-go/v1 ## explicit; go 1.19 github.com/opencontainers/selinux/go-selinux github.com/opencontainers/selinux/pkg/pwalkdir -# github.com/openshift/api v0.0.0-20260521125114-09730f85d883 +# github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc ## explicit; go 1.25.0 github.com/openshift/api github.com/openshift/api/annotations @@ -376,7 +376,7 @@ github.com/openshift/build-machinery-go/make/targets/golang github.com/openshift/build-machinery-go/make/targets/openshift github.com/openshift/build-machinery-go/make/targets/openshift/operator github.com/openshift/build-machinery-go/scripts -# github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a +# github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167 ## explicit; go 1.25.0 github.com/openshift/client-go/apps/applyconfigurations/apps/v1 github.com/openshift/client-go/apps/applyconfigurations/internal From 1d303cba1c6d8cb0b7bd5ee80890ae8f660b596a Mon Sep 17 00:00:00 2001 From: Krzysztof Ostrowski Date: Fri, 19 Jun 2026 10:59:28 +0200 Subject: [PATCH 3/3] kms/health: add report writer Adds a health report writer. The construction is a bit awkward, but the lib knows how to create the healthreport-to-be-applied-config and the individual operator knows where to apply it. --- pkg/operator/encryption/kms/health/cmd.go | 38 ++++++----- .../encryption/kms/health/cmd_test.go | 34 ++++++++++ pkg/operator/encryption/kms/health/writer.go | 58 ++++++++++++++++ .../encryption/kms/health/writer_test.go | 67 +++++++++++++++++++ 4 files changed, 180 insertions(+), 17 deletions(-) create mode 100644 pkg/operator/encryption/kms/health/writer.go create mode 100644 pkg/operator/encryption/kms/health/writer_test.go diff --git a/pkg/operator/encryption/kms/health/cmd.go b/pkg/operator/encryption/kms/health/cmd.go index 3055e4ce90..456a823be5 100644 --- a/pkg/operator/encryption/kms/health/cmd.go +++ b/pkg/operator/encryption/kms/health/cmd.go @@ -6,7 +6,6 @@ import ( "regexp" "time" - "github.com/openshift/library-go/pkg/operator/v1helpers" "github.com/spf13/cobra" "github.com/spf13/pflag" @@ -14,7 +13,6 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/server" k8senvelopekmsv2 "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2" - "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" "k8s.io/klog/v2" ) @@ -35,21 +33,21 @@ type options struct { NodeName string Kubeconfig string - newOperatorClient func(*rest.Config) (v1helpers.OperatorClient, error) + newWriter NewEncryptionStatusWriterFunc } type Config struct { - operatorClient v1helpers.OperatorClient - prober *prober + writeStatus EncryptionStatusWriter + prober *prober interval time.Duration writeTimeout time.Duration nodeName string } -func NewCommand(ctx context.Context, newOperatorClient func(*rest.Config) (v1helpers.OperatorClient, error)) *cobra.Command { +func NewCommand(ctx context.Context, newWriter NewEncryptionStatusWriterFunc) *cobra.Command { o := &options{ - newOperatorClient: newOperatorClient, + newWriter: newWriter, } cmd := &cobra.Command{ @@ -126,9 +124,11 @@ func (o *options) Config(ctx context.Context) (*Config, error) { return nil, fmt.Errorf("build rest config: %w", err) } - operatorClient, err := o.newOperatorClient(restCfg) + // fieldManager is the per-node ownership identity. + fieldManager := "kms-health-reporter-" + o.NodeName + writeStatus, err := o.newWriter(restCfg, fieldManager) if err != nil { - return nil, fmt.Errorf("build operator client: %w", err) + return nil, fmt.Errorf("build encryption status writer: %w", err) } plugins, err := buildPlugins(ctx, o.KMSSockets, o.ReadTimeout) @@ -137,11 +137,11 @@ func (o *options) Config(ctx context.Context) (*Config, error) { } return &Config{ - operatorClient: operatorClient, - prober: newProber(plugins), - interval: o.Interval, - writeTimeout: o.WriteTimeout, - nodeName: o.NodeName, + writeStatus: writeStatus, + prober: newProber(plugins), + interval: o.Interval, + writeTimeout: o.WriteTimeout, + nodeName: o.NodeName, }, nil } @@ -149,9 +149,13 @@ func (c *Config) Run(ctx context.Context) error { wait.JitterUntilWithContext(ctx, func(ctx context.Context) { // Each Status RPC enforces the read timeout internally (set at dial // time); ctx here only carries shutdown cancellation. - conditions := c.prober.probeAll(ctx) - // TODO: hand conditions to the writer once it lands; logging is a placeholder. - klog.InfoS("kms plugin health", "conditions", conditions) + reports := c.prober.probeAll(ctx) + + writeCtx, cancel := context.WithTimeout(ctx, c.writeTimeout) + defer cancel() + if err := c.writeStatus(writeCtx, buildEncryptionStatus(c.nodeName, reports)); err != nil { + klog.ErrorS(err, "failed to publish kms plugin health") + } }, c.interval, 0.1, false) return nil diff --git a/pkg/operator/encryption/kms/health/cmd_test.go b/pkg/operator/encryption/kms/health/cmd_test.go index 77f7d6108c..cf17a38d86 100644 --- a/pkg/operator/encryption/kms/health/cmd_test.go +++ b/pkg/operator/encryption/kms/health/cmd_test.go @@ -1,10 +1,14 @@ package health import ( + "context" "testing" "time" "github.com/stretchr/testify/require" + + applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1" + kmsservice "k8s.io/kms/pkg/service" ) // validOptions returns an options value that passes validate. Each test case @@ -119,3 +123,33 @@ func TestValidate(t *testing.T) { }) } } + +// TestRunReportsOnce checks the loop wiring: Run probes, builds the status, and +// hands it to the reporter. The reporter cancels the context so the loop ends +// after a single tick. +func TestRunReportsOnce(t *testing.T) { + ctx, cancel := context.WithCancel(context.Background()) + + var have *applyoperatorv1.KMSEncryptionStatusApplyConfiguration + c := &Config{ + nodeName: "node-1", + interval: time.Hour, // never reached; cancelled after the first tick + writeTimeout: time.Second, + prober: &prober{ + plugins: []pluginClient{ + {keyID: "1", service: &fakeService{resp: &kmsservice.StatusResponse{Healthz: "ok", KeyID: "kek-abc"}}}, + }, + now: func() time.Time { return time.Unix(0, 0).UTC() }, + }, + writeStatus: func(_ context.Context, status *applyoperatorv1.KMSEncryptionStatusApplyConfiguration) error { + have = status + cancel() + return nil + }, + } + + require.NoError(t, c.Run(ctx)) + require.Len(t, have.HealthReports, 1) + require.Equal(t, "node-1", *have.HealthReports[0].NodeName) + require.Equal(t, "1", *have.HealthReports[0].KeyId) +} diff --git a/pkg/operator/encryption/kms/health/writer.go b/pkg/operator/encryption/kms/health/writer.go new file mode 100644 index 0000000000..ddccaf7098 --- /dev/null +++ b/pkg/operator/encryption/kms/health/writer.go @@ -0,0 +1,58 @@ +package health + +import ( + "context" + + operatorv1 "github.com/openshift/api/operator/v1" + applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/rest" +) + +// NewEncryptionStatusWriterFunc builds the EncryptionStatusWriter for a target +// apiserver operator status CR. fieldManager sets the owner in the +// managedFields when doing SSA. +type NewEncryptionStatusWriterFunc func(restConfig *rest.Config, fieldManager string) (EncryptionStatusWriter, error) + +// EncryptionStatusWriter is capable of applying the +// KMSEncryptionStatusApplyConfiguration at the correct place in the operator's +// status. +type EncryptionStatusWriter func(ctx context.Context, status *applyoperatorv1.KMSEncryptionStatusApplyConfiguration) error + +// buildEncryptionStatus builds the KMSEncryptionStatusApplyConfiguration to be +// applied by the operator. +func buildEncryptionStatus(nodeName string, reports []pluginHealthReport) *applyoperatorv1.KMSEncryptionStatusApplyConfiguration { + healthReports := make([]*applyoperatorv1.KMSPluginHealthReportApplyConfiguration, 0, len(reports)) + for _, r := range reports { + hr := applyoperatorv1.KMSPluginHealthReport(). + WithNodeName(nodeName). + WithKeyId(r.KeyID). + WithStatus(mapStatus(r.Status)). + WithLastCheckedTime(metav1.NewTime(r.LastChecked)) + + // kekId/detail have MinLength=1; setting "" would fail validation. + if r.KEKID != "" { + hr = hr.WithKEKId(r.KEKID) + } + if r.Detail != "" { + hr = hr.WithDetail(r.Detail) + } + + healthReports = append(healthReports, hr) + } + + return applyoperatorv1.KMSEncryptionStatus().WithHealthReports(healthReports...) +} + +// mapStatus defaults to Error so an unknown value never becomes an empty, +// invalid enum. +func mapStatus(s string) operatorv1.KMSPluginHealthStatus { + switch s { + case statusHealthy: + return operatorv1.KMSPluginHealthStatusHealthy + case statusUnhealthy: + return operatorv1.KMSPluginHealthStatusUnhealthy + default: + return operatorv1.KMSPluginHealthStatusError + } +} diff --git a/pkg/operator/encryption/kms/health/writer_test.go b/pkg/operator/encryption/kms/health/writer_test.go new file mode 100644 index 0000000000..094f2d90c5 --- /dev/null +++ b/pkg/operator/encryption/kms/health/writer_test.go @@ -0,0 +1,67 @@ +package health + +import ( + "testing" + "time" + + "github.com/stretchr/testify/require" + + operatorv1 "github.com/openshift/api/operator/v1" + applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestBuildEncryptionStatus(t *testing.T) { + // Fixed UTC time dodges Go's monotonic clock and timezone drift. + checked := time.Unix(0, 0).UTC() + reports := []pluginHealthReport{ + {KeyID: "1", KEKID: "kek-abc", Status: statusHealthy, LastChecked: checked}, + {KeyID: "2", Status: statusUnhealthy, Detail: "not ok", LastChecked: checked}, + {KeyID: "3", Status: statusError, Detail: "DeadlineExceeded", LastChecked: checked}, + } + + have := buildEncryptionStatus("node-1", reports) + + // Each entry stamps nodeName; kekId only on healthy, detail only on the + // unhealthy/error entries, status mapped to the API enum. + want := applyoperatorv1.KMSEncryptionStatus().WithHealthReports( + applyoperatorv1.KMSPluginHealthReport(). + WithNodeName("node-1"). + WithKeyId("1"). + WithStatus(operatorv1.KMSPluginHealthStatusHealthy). + WithLastCheckedTime(metav1.NewTime(checked)). + WithKEKId("kek-abc"), + applyoperatorv1.KMSPluginHealthReport(). + WithNodeName("node-1"). + WithKeyId("2"). + WithStatus(operatorv1.KMSPluginHealthStatusUnhealthy). + WithLastCheckedTime(metav1.NewTime(checked)). + WithDetail("not ok"), + applyoperatorv1.KMSPluginHealthReport(). + WithNodeName("node-1"). + WithKeyId("3"). + WithStatus(operatorv1.KMSPluginHealthStatusError). + WithLastCheckedTime(metav1.NewTime(checked)). + WithDetail("DeadlineExceeded"), + ) + + require.Equal(t, want, have) +} + +func TestMapStatus(t *testing.T) { + tests := []struct { + in string + want operatorv1.KMSPluginHealthStatus + }{ + {statusHealthy, operatorv1.KMSPluginHealthStatusHealthy}, + {statusUnhealthy, operatorv1.KMSPluginHealthStatusUnhealthy}, + {statusError, operatorv1.KMSPluginHealthStatusError}, + {"unexpected", operatorv1.KMSPluginHealthStatusError}, + } + + for _, tc := range tests { + t.Run(tc.in, func(t *testing.T) { + require.Equal(t, tc.want, mapStatus(tc.in)) + }) + } +}